Cisco Systems 3.3 PEAP and Cisco Secure ACS

10-9

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

PEAP authentications always involve two phases. In the first phase, the end-user

client authenticates Cisco Secure ACS. This requires a server certificate and

authenticates Cisco Secure ACS to the end-user client, ensuring that the user or

machine credentials sent in phase two are sent to a AAA server that has a

certificate issued by a trusted CA. The first phase uses a TLS handshake to

establish an SSL tunnel.

Note Depending on the end-user client involved, the CA certificate for the CA that

issued the Cisco Secure ACS server certificate is likely to be required in local

storage for trusted root CAs on the end-user client computer.

In phase two, Cisco Secure ACS authenticates the user or machine credentials

using an EAP authentication protocol. The EAP authentication is protected by the

SSL tunnel created in phase one. The authentication type negotiated during the

second conversation may be any valid EAP type, such as EAP-GTC (for Generic

Token Card). Because PEAP can support any EAP authentication protocol,

individual combinations of PEAP and EAP protocols are denoted with the EAP

protocol within parentheses, such as PEAP(EAP-GTC). For the authentication

protocols that Cisco Secure ACS supports in phase two of PEAP, see

Authentication Protocol-Database Compatibility, page 1-10.

One improvement in security offered by PEAP is identity protection. This is the

potential of protecting the username in all PEAP transactions. After phase one of

PEAP, all data is encrypted, including username information usually sent in clear

text. The Cisco Aironet PEAP client sends user identity through the SSL tunnel

only. The initial identity, used in phase one and which is sent in the clear, is the

MAC address of the end-user client with “PEAP_” as a prefix. The Microsoft

PEAP client does not provide identity protection; the Microsoft PEAP client

sends the username in the clear in phase one of PEAP authentication.

PEAP and Cisco Secure ACS

Cisco Secure ACS supports PEAP authentication using either the Cisco Aironet

PEAP client or the Microsoft PEAP client included with Microsoft Windows XP

Service Pack 1. Cisco Secure ACS can support the Cisco Aironet PEAP client

with PEAP(EAP-GTC) only. For the Microsoft PEAP client included with

Windows XP Service Pack 1, Cisco Secure ACS supports only

PEAP(EAP-MSCHAPv2). For information about which user databases support

PEAP protocols, see Authentication Protocol-Database Compatibility, page 1-10.