Home > Cisco > Control System > Cisco Acs 57 User Guide

Cisco Acs 57 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 57 User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 571

    Page 571 25 Authentication in ACS 5.7 EAP-FAST For information about how master key generation and PAC TTL values determine whether PAC provisioning or PAC refreshing is required, see Master Key Generation and PAC TTLs, page 24. 3.Determine whether you want to use automatic or manual PAC provisioning. For more information about the two means of PAC provisioning, see Automatic In-Band PAC Provisioning, page 21, and Manual PAC Provisioning, page 22. We recommend that you limit the use of Automatic In-Band PAC... 
    25   
Authentication in ACS 5.7
EAP-FAST
For information about how master key generation and PAC TTL values determine whether PAC provisioning or PAC 
refreshing is required, see Master Key Generation and PAC TTLs, page 24.
3.Determine whether you want to use automatic or manual PAC provisioning. 
For more information about the two means of PAC provisioning, see Automatic In-Band PAC Provisioning, page 21, 
and Manual PAC Provisioning, page 22.
We recommend that you limit the use of Automatic In-Band PAC...

    Page 572

    Page 572 26 Authentication in ACS 5.7 EAP-FAST Key Distribution Algorithm The common seed-key is a relatively large and a completely random buffer that is generated by the primary ACS server. The seed-key is generated only once during installation, or it can be manually regenerated by an administrator. The seed-key should rarely be replaced, because if you change seed-key, of all the previous master-keys and PACs would automatically be deactivated. The seed-key is generated by using a RNG generator that... 
    26
Authentication in ACS 5.7
 
EAP-FAST
Key Distribution Algorithm
The common seed-key is a relatively large and a completely random buffer that is generated by the primary ACS server. 
The seed-key is generated only once during installation, or it can be manually regenerated by an administrator. The 
seed-key should rarely be replaced, because if you change seed-key, of all the previous master-keys and PACs would 
automatically be deactivated.
The seed-key is generated by using a RNG generator that...

    Page 573

    Page 573 27 Authentication in ACS 5.7 EAP Authentication with RADIUS Key Wrap EAP Authentication with RADIUS Key Wrap You can configure ACS to use PEAP, EAP-FAST and EAP-TLS authentication with RADIUS Key Wrap. ACS can then authenticate RADIUS messages and distribute the session key to the network access server (NAS). The EAP session key is encrypted by using Advanced Encryption Standard (AES), and the RADIUS message is authenticated by using HMAC-SHA-1. Because RADIUS is used to transport EAP messages (in... 
    27   
Authentication in ACS 5.7
EAP Authentication with RADIUS Key Wrap
EAP Authentication with RADIUS Key Wrap
You can configure ACS to use PEAP, EAP-FAST and EAP-TLS authentication with RADIUS Key Wrap. ACS can then 
authenticate RADIUS messages and distribute the session key to the network access server (NAS). The EAP session key 
is encrypted by using Advanced Encryption Standard (AES), and the RADIUS message is authenticated by using 
HMAC-SHA-1.
Because RADIUS is used to transport EAP messages (in...

    Page 574

    Page 574 28 Authentication in ACS 5.7 CHAP MSCHAPv2 for User Authentication, page 28 MSCHAPv2 for Change Password, page 28 Windows Machine Authentication Against AD, page 28 MSCHAPv2 for User Authentication ACS supports the EAP-MSCHAPv2 authentication protocol as the inner method of EAP-FAST and PEAP. The protocol is an encapsulation of MSCHAPv2 into the EAP framework. Mutual authentication occurs against the configured credential database. The client does not send its password, but a cryptographic... 
    28
Authentication in ACS 5.7
 
CHAP
MSCHAPv2 for User Authentication, page 28
MSCHAPv2 for Change Password, page 28
Windows Machine Authentication Against AD, page 28
MSCHAPv2 for User Authentication
ACS supports the EAP-MSCHAPv2 authentication protocol as the inner method of EAP-FAST and PEAP. The protocol is 
an encapsulation of MSCHAPv2 into the EAP framework. Mutual authentication occurs against the configured credential 
database. 
The client does not send its password, but a cryptographic...

    Page 575

    Page 575 29 Authentication in ACS 5.7 LEAP If you are using the ACS internal database for authentication, you can use PAP or CHAP. CHAP does not work with the Windows user database. Compared to RADIUS PAP, CHAP allows a higher level of security for encrypting passwords when communicating from an end-user client to the AAA client. LEAP ACS currently uses LEAP only for Cisco Aironet wireless networking. If you do not enable this option, Cisco Aironet end-user clients who are configured to perform LEAP... 
    29   
Authentication in ACS 5.7
LEAP
If you are using the ACS internal database for authentication, you can use PAP or CHAP. CHAP does not work with the 
Windows user database. Compared to RADIUS PAP, CHAP allows a higher level of security for encrypting passwords 
when communicating from an end-user client to the AAA client.
LEAP
ACS currently uses LEAP only for Cisco Aironet wireless networking. If you do not enable this option, Cisco Aironet 
end-user clients who are configured to perform LEAP...

    Page 576

    Page 576 30 Authentication in ACS 5.7 Certificate Attributes SAN—otherName If the certificate does not contain the configured attribute, authentication fails. Note: ACS 5.7 supports short hard-coded attributes and certificate attribute verification for the only the EAP-TLS protocol. Certificate Binary Comparison You can perform binary comparison against a certificate that ACS receives from an external identity store and determine the identity store's parameters that will be used for the comparison. Note:... 
    30
Authentication in ACS 5.7
 
Certificate Attributes
SAN—otherName
If the certificate does not contain the configured attribute, authentication fails.
Note: ACS 5.7 supports short hard-coded attributes and certificate attribute verification for the only the EAP-TLS 
protocol.
Certificate Binary Comparison
You can perform binary comparison against a certificate that ACS receives from an external identity store and determine 
the identity store's parameters that will be used for the comparison.
Note:...

    Page 577

    Page 577 31 Authentication in ACS 5.7 Machine Authentication Possible reasons for revocation of a certificate include suspicion that the associated private key has been compromised or the realization that the certificate was issued improperly. If either of these conditions exist, the certificate is rejected. ACS supports a static-CRL that contains a list of URLs used to acquire the CRL files that are configured in ACS database. Note: ACS does not support delta CRLs in certificate revocation validation. You... 
    31   
Authentication in ACS 5.7
Machine Authentication
Possible reasons for revocation of a certificate include suspicion that the associated private key has been compromised 
or the realization that the certificate was issued improperly. If either of these conditions exist, the certificate is rejected.
ACS supports a static-CRL that contains a list of URLs used to acquire the CRL files that are configured in ACS database.
Note: ACS does not support delta CRLs in certificate revocation validation. 
You...

    Page 578

    Page 578 32 Authentication in ACS 5.7 Authentication Protocol and Identity Store Compatibility Note: If a computer fails machine authentication and the user has not successfully logged in to the domain by using the computer since the most recent user password change, the cached credentials on the computer will not match the new password. Instead, the cached credentials will match an older password of the user, provided that the user once successfully logged in to the domain from this computer. User network... 
    32
Authentication in ACS 5.7
 
Authentication Protocol and Identity Store Compatibility
Note: If a computer fails machine authentication and the user has not successfully logged in to the domain by using the 
computer since the most recent user password change, the cached credentials on the computer will not match the new 
password. Instead, the cached credentials will match an older password of the user, provided that the user once 
successfully logged in to the domain from this computer.
User network...

    Page 579

    Page 579 33 Authentication in ACS 5.7 Authentication Protocol and Identity Store Compatibility Table 45 EAP Authentication Protocol and User Database Compatibility Identity Store EAP-MD5 EAP-TLS1 1. In EAP-TLS authentication, the user is authenticated by cryptographic validation of the certificate. Additionally, ACS 5.7 optionally allows a binary comparison of the user’s certificate sent by the end-user client against the certificate located in the user’s record in the LDAP identity store. PEAP-TLS2 2. In... 
    33   
Authentication in ACS 5.7
Authentication Protocol and Identity Store Compatibility
Table 45 EAP Authentication Protocol and User Database Compatibility
Identity Store EAP-MD5 EAP-TLS1
1. In EAP-TLS authentication, the user is authenticated by cryptographic validation of the certificate. Additionally, ACS 5.7 optionally allows a 
binary comparison of the user’s certificate sent by the end-user client against the certificate located in the user’s record in the LDAP identity 
store.
PEAP-TLS2
2. In...

    Page 580

    Page 580 34 Authentication in ACS 5.7 Authentication Protocol and Identity Store Compatibility 
    34
Authentication in ACS 5.7
 
Authentication Protocol and Identity Store Compatibility
    Start reading Cisco Acs 57 User Guide

    Related Manuals for Cisco Acs 57 User Guide

    All Cisco manuals