Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 591

    Page 591 B-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS There are two types of certificate generation: Self signing certificate generation — ACS supports generation of an X.509 certificate and a PKCS#12 private key. The passphrase used to encrypt the private key in the PKCS#12 automatically generates stronger passwords, and the private key is hidden in the local certificate store. You can select the newly generated certificate for... 
    B-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
There are two types of certificate generation:
Self signing certificate generation — ACS supports generation of an X.509 certificate and a 
PKCS#12 private key. The passphrase used to encrypt the private key in the PKCS#12 automatically 
generates stronger passwords, and the private key is hidden in the local certificate store.
You can select the newly generated certificate for...

    Page 592

    Page 592 B-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Credentials Distribution All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The ACS server certificates are associated and designated for a specific node, which uses that specific certificate. Public certificates are distributed along with the private keys and the protected private key passwords by using the ACS distributed... 
    B-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
Credentials Distribution
All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The 
ACS server certificates are associated and designated for a specific node, which uses that specific 
certificate.
Public certificates are distributed along with the private keys and the protected private key passwords by 
using the ACS distributed...

    Page 593

    Page 593 B-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-TLS Private Keys and Passwords Backup The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates, private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary server is also backed up with the primarys backup. Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also... 
    B-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-TLS
Private Keys and Passwords Backup
The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates, 
private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary 
server is also backed up with the primarys backup. 
Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also...

    Page 594

    Page 594 B-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 NoteAll communication between the host and ACS goes through the network device. EAP-TLS authentication fails if the: Server fails to verify the client’s certificate, and rejects EAP-TLS authentication. Client fails to verify the server’s certificate, and rejects EAP-TLS authentication. Certificate validation fails if the: –Certificate has expired. –Server or client cannot find the... 
    B-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  PEAPv0/1
NoteAll communication between the host and ACS goes through the network device.
EAP-TLS authentication fails if the:
Server fails to verify the client’s certificate, and rejects EAP-TLS authentication. 
Client fails to verify the server’s certificate, and rejects EAP-TLS authentication. 
Certificate validation fails if the:
–Certificate has expired.
–Server or client cannot find the...

    Page 595

    Page 595 B-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Overview of PEAP PEAP is a client-server security architecture that you use to encrypt EAP transactions, thereby protecting the contents of EAP authentications. PEAP uses server-side public key certificates to authenticate the server. It then creates an encrypted SSL/TLS tunnel between the client and the authentication server. The ensuing exchange of authentication information to... 
    B-15
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  PEAPv0/1
Overview of PEAP
PEAP is a client-server security architecture that you use to encrypt EAP transactions, thereby protecting 
the contents of EAP authentications. PEAP uses server-side public key certificates to authenticate the 
server.
It then creates an encrypted SSL/TLS tunnel between the client and the authentication server. The 
ensuing exchange of authentication information to...

    Page 596

    Page 596 B-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 Server Authenticated and Unauthenticated Tunnel Establishment Modes Tunnel establishment helps prevent an attacker from injecting packets between the client and the network access server (NAS) or, to allow negotiation of a less secure EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the ACS. A client EAP message is always carried in the... 
    B-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  PEAPv0/1
Server Authenticated and Unauthenticated Tunnel Establishment Modes
Tunnel establishment helps prevent an attacker from injecting packets between the client and the 
network access server (NAS) or, to allow negotiation of a less secure EAP method. The encrypted TLS 
channel also helps prevent denial of service attacks against the ACS.
A client EAP message is always carried in the...

    Page 597

    Page 597 B-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 PEAPv0/1 PEAP Flow in ACS 5.3 The PEAP protocol allows authentication between ACS and the peer by using the PKI-based secure tunnel establishment and the EAP-MSCHAPv2 protocol as the inner method inside the tunnel. The local certificate can be validated by the peer (server-authenticated mode) or not validated (server-unauthenticated mode). This section contains: Creating the TLS Tunnel,... 
    B-17
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  PEAPv0/1
PEAP Flow in ACS 5.3
The PEAP protocol allows authentication between ACS and the peer by using the PKI-based secure 
tunnel establishment and the EAP-MSCHAPv2 protocol as the inner method inside the tunnel. The local 
certificate can be validated by the peer (server-authenticated mode) or not validated 
(server-unauthenticated mode).
This section contains:
Creating the TLS Tunnel,...

    Page 598

    Page 598 B-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Authenticating with MSCHAPv2 After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with MSCHAPv2: At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge of the correct password (the response to the ACS challenge string), and ACS has provided proof of knowledge of the correct password... 
    B-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
Authenticating with MSCHAPv2
After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with 
MSCHAPv2: 
At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge 
of the correct password (the response to the ACS challenge string), and ACS has provided proof of 
knowledge of the correct password...

    Page 599

    Page 599 B-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-FAST is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is based on strong secrets that are unique to users. These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master key known only to ACS.... 
    B-19
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
EAP-FAST is a client-server security architecture that encrypts EAP transactions with a TLS tunnel. 
While similar to PEAP in this respect, it differs significantly in that EAP-FAST tunnel establishment is 
based on strong secrets that are unique to users.
These secrets are called Protected Access Credentials (PACs), which ACS generates by using a master 
key known only to ACS....

    Page 600

    Page 600 B-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one, however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. After phase one of EAP-FAST, all... 
    B-20
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user 
authentication based on a username that is presented in phase one, however, whether the username is 
protected during phase one depends on the end-user client. 
If the end-user client does not send the real username in phase one, the username is protected. After 
phase one of EAP-FAST, all...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals