B-6
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-TLS
Overview of EAP-TLS
EAP-TLS is one of the methods in the EAP authentication framework, a nd is based on the 802.1x and
EAP architecture. Components involved in the 802.1x and EAP authentication process are the:
Host—The end entity, or end user’s machine.
AAA client—The network access point.
Authentication server—ACS.
The EAP-TLS standard is described in:
RFC 2716—PPP EAP-TLS Authentication Protocol
RFC 3079—Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)
This section contains the following topics:
User Certificate Authentication, pageB-6
PKI Authentication, page B-7
The host must support EAP-TLS authentication. The access point must suppo rt the EAP authentication
process in the 802.1x environment (the access point is not aware of the EAP authentication protocol
type).
Related Topics
Configuring CA Certificates, page8-71
Certificate-Based Network Access, page4-9
ACS and Cisco Security Group Access, page 4-23
EAP-TLS Flow in ACS 5.4, pageB-13

User Certificate Authentication

EAP-TLS is a mutual authentication method for certificate-based authentication; the client and server
authenticate each other by using digital certificates. Certificates must meet specific requirements on the
server and client for successful authentication. EAP and TLS are Internet Engineering Task Force (IETF)
RFC standards.
The EAP protocol carries initial authentication information, specifically the encapsulation of EAP over
LANs (EAPOL) as established by IEEE 802.1x. TLS uses certificates for user authentication and
dynamic ephemeral session key generation.
After the peer is authenticated and a session is created, the information is cached on ACS for a certain
amount of time. The session can be re-established by using the EAP-TLS session state and the session
ticket resume, without an additional certificate exchange.
ACS 5.4 maintains the server certificate and private key in files on the ACS server, which it uses during
EAP-TLS processing. You can choose the certificate authorities (CAs) that can be trusted to sign on
client certificates.
EAP-TLS authentication involves two elements of trust:
The EAP-TLS negotiation establishes end-user trust by validating, through RSA signature
verifications, that the user possesses a keypair that a certificate signs.
This process verifies that the end user is the legitimate keyholder for a given digital certificate and
the corresponding user identification in the certificate. However, trusting that a user possesses a
certificate only provides a username-keypair binding.