Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Acs 5x User Guide. The Cisco manuals for Control System are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 601

    Page 601 B-21 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST ACS-Supported Features for PACs, page B-24 Master Key Generation and PAC TTLs, page B-26 EAP-FAST for Allow TLS Renegotiation, page B-26 About Master-Keys EAP-FAST master-keys are strong secrets that ACS automatically generates and of which only ACS is aware. Master-keys are never sent to an end-user client. EAP-FAST requires master-keys for two purposes: PAC generation—ACS... 
    B-21
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
ACS-Supported Features for PACs, page B-24
Master Key Generation and PAC TTLs, page B-26
EAP-FAST for Allow TLS Renegotiation, page B-26
About Master-Keys
EAP-FAST master-keys are strong secrets that ACS automatically generates and of which only ACS is 
aware. Master-keys are never sent to an end-user client. EAP-FAST requires master-keys for two 
purposes:
PAC generation—ACS...

    Page 602

    Page 602 B-22 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Provisioning Modes ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key agreement. To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC... 
    B-22
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
Provisioning Modes
ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates 
inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key 
agreement.
To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside 
of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC...

    Page 603

    Page 603 B-23 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The various means by which an end-user client can receive PACs are: PAC provisioning—Required when an end-user client has no PAC. For more information about how master-key and PAC states determine whether PAC provisioning is required, see Master Key Generation and PAC TTLs, page B-26. The two supported means of PAC provisioning are: –Automatic In-Band PAC Provisioning—Sends a PAC... 
    B-23
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
The various means by which an end-user client can receive PACs are:
PAC provisioning—Required when an end-user client has no PAC. For more information about how 
master-key and PAC states determine whether PAC provisioning is required, see Master Key 
Generation and PAC TTLs, page B-26.
The two supported means of PAC provisioning are:
–Automatic In-Band PAC Provisioning—Sends a PAC...

    Page 604

    Page 604 B-24 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST To control whether ACS performs Automatic In-Band PAC Provisioning, use the options on the Global System Options pages in the System Administration drawer. For more information, see EAP-FAST, page B-18. Manual PAC Provisioning Manual PAC provisioning requires an ACS administrator to generate PAC files, which must then be distributed to the applicable network users. Users must... 
    B-24
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
To control whether ACS performs Automatic In-Band PAC Provisioning, use the options on the Global 
System Options pages in the System Administration drawer. For more information, see EAP-FAST, 
page B-18.
Manual PAC Provisioning
Manual PAC provisioning requires an ACS administrator to generate PAC files, which must then be 
distributed to the applicable network users. Users must...

    Page 605

    Page 605 B-25 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST The proactive PAC update time is configured for the ACS server in the Allowed Protocols Page. This mechanism allows the client to be always updated with a valid PAC. NoteThere is no proactive PAC update for Machine and Authorization PACs. Accept Peer on Authenticated Provisioning The peer may be authenticated during the provisioning phase. PAC-Less Authentication With PAC-less... 
    B-25
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
The proactive PAC update time is configured for the ACS server in the Allowed Protocols Page. This 
mechanism allows the client to be always updated with a valid PAC.
NoteThere is no proactive PAC update for Machine and Authorization PACs.
Accept Peer on Authenticated Provisioning
The peer may be authenticated during the provisioning phase.
PAC-Less Authentication
With PAC-less...

    Page 606

    Page 606 B-26 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST Master Key Generation and PAC TTLs The values for master key generation and PAC TTLs determine their states, as described in About Master-Keys, page B-21 and Types of PACs, page B-22. Master key and PAC states determine whether someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing. Related Topics About PACs, page B-21 Provisioning Modes, page... 
    B-26
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
Master Key Generation and PAC TTLs
The values for master key generation and PAC TTLs determine their states, as described in About 
Master-Keys, page B-21 and Types of PACs, page B-22. Master key and PAC states determine whether 
someone requesting network access with EAP-FAST requires PAC provisioning or PAC refreshing. 
Related Topics
About PACs, page B-21
Provisioning Modes, page...

    Page 607

    Page 607 B-27 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST To enable ACS to perform EAP-FAST authentication: Step 1Configure an identity store that supports EAP-FAST authentication. To determine which identity stores support EAP-FAST authentication, see Authentication Protocol and Identity Store Compatibility, page B-35. For information about configuring identity stores, see Chapter 8, “Managing Users and Identity Stores” Step 2Determine... 
    B-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
To enable ACS to perform EAP-FAST authentication:
Step 1Configure an identity store that supports EAP-FAST authentication. 
To determine which identity stores support EAP-FAST authentication, see Authentication Protocol and 
Identity Store Compatibility, page B-35. For information about configuring identity stores, see 
Chapter 8, “Managing Users and Identity Stores”
Step 2Determine...

    Page 608

    Page 608 B-28 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-FAST This scheme improves the security by reducing the amount of cryptographic sensitive material that is transmitted. This section contains the following topics: Key Distribution Algorithm, page B-28 EAP-FAST PAC-Opaque Packing and Unpacking, page B-28 Revocation Method, page B-28 PAC Migration from ACS 4.x, page B-29 Key Distribution Algorithm The common seed-key is a relatively... 
    B-28
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-FAST
This scheme improves the security by reducing the amount of cryptographic sensitive material that is 
transmitted. 
This section contains the following topics: 
Key Distribution Algorithm, page B-28
EAP-FAST PAC-Opaque Packing and Unpacking, page B-28
Revocation Method, page B-28
PAC Migration from ACS 4.x, page B-29
Key Distribution Algorithm
The common seed-key is a relatively...

    Page 609

    Page 609 B-29 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP Authentication with RADIUS Key Wrap PAC Migration from ACS 4.x Although the configuration can be migrated from 4.x, the PACs themselves, as being stored only in supplicants, may still be issued from versions as far back as ACS 3.x. ACS 5.3 accepts PACs of all types according to migrated master-keys from versions 4.x and onwards, and re-issues a new 5.0 PAC, similar to the proactive... 
    B-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP Authentication with RADIUS Key Wrap
PAC Migration from ACS 4.x
Although the configuration can be migrated from 4.x, the PACs themselves, as being stored only in 
supplicants, may still be issued from versions as far back as ACS 3.x. ACS 5.3 accepts PACs of all types 
according to migrated master-keys from versions 4.x and onwards, and re-issues a new 5.0 PAC, similar 
to the proactive...

    Page 610

    Page 610 B-30 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Appendix B Authentication in ACS 5.3 EAP-MSCHAPv2 EAP-MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the users password. This section contains the following topics: Overview of EAP-MSCHAPv2, page B-30 EAP- MSCHAPv2... 
    B-30
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B      Authentication in ACS 5.3
  EAP-MSCHAPv2
EAP-MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) provides two-way 
authentication, also known as mutual authentication. The remote access client receives verification that 
the remote access server that it is dialing in to has access to the users password.
This section contains the following topics:
Overview of EAP-MSCHAPv2, page B-30
EAP- MSCHAPv2...
    Start reading Cisco Acs 5x User Guide

    Related Manuals for Cisco Acs 5x User Guide

    All Cisco manuals