B-8
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-TLS
You can configure the timeout for each session in the cache, for each protocol individually. The lifetime
of a session is measured from the beginning of the conversation and is dete rmined when the TLS session
is created.
ACS supports establishment of a tunnel from a commonly shared key known to the client and the server
for the EAP-FAST protocol. The key that is securely agreed upon between the two peers is used to derive
a shared tunnel TLS-master-key that is used to open a tunnel. This mechanism involves a shorter TLS
negotiation.
An anonymous Diffie-Hellman tunnel relates to the establishment of a completely anonymous tunnel
between a client and a server for cases where none of the peers authenticates itself. ACS runtime
supports anonymous Diffie-Hellman tunnels for EAP-FAST with a predefined prime and a predefined
generator of two. There is no server authentication conducted within anonymous Diffie-Hellman tunnel
cipher-suites.
An authenticated Diffie-Hellman tunnel is similar to an anonymous Diffie-Hellman tunnel. The
additional factor of the authenticated Diffie-Hellman tunnel is that peer authentication is conducted
through an RSA certificate. ACS supports Authenticated-Diffie-Hellman tunnels for EAP-FAST where
the server authenticates by using its own certificate.
Additional client authentications are conducted within the tunnel by using other protocols, such as
EAP-MSCHAPv2 or EAP-GTC for the inner EAP method.
Related Topics
Configuring Local Server Certificates, page18-14
Configuring CA Certificates, page8-71
Configuring Certificate Authentication Profiles, page8-75
PKI Credentials
This section contains the following topics:
PKI Usage, pageB-8
Fixed Management Certificates, pageB-9
Importing Trust Certificates, pageB-9
Exporting Credentials, page B-11

PKI Usage

ACS supports using certificates for various PKI use cases. The main use case is the EAP-TLS protocol,
where the PKI is used to authenticate not only the server, but also the client (PEAP and EAP-FAST also
make use of certificates for server authentication, but do not perform client authentication). Other
protocols which use the PKI credentials are LDAPS, HTTPS Management protocol, SSH, and SFTP.
For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS
related EAP protocols. You can pick the certificate to use from any of the certificates containing a
private-key in the Local Certificate store.
For other protocols, such as HTTPS, SFTP, and SSH, and for the message-bus ActiveMQ authentication,
a single certificate should be configured to authenticate ACS. You can pick the certificate to use from
any of the certificates containing a private-key in the Local Certificate store. You can configure the same
local certificate for the TLS-related EAP protocols and for HTTPS Management protocol.