Cisco Systems CSACS3415K9 EAP-TLS Flow in ACS 5.4

B-13

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

AppendixB Authentication in ACS 5.4

EAP-TLS

Private Keys and Passwords Backup

The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates,

private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary

server is also backed up with the primary's backup.

Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also can

pass relatively secured in and out of the ACS servers. The private keys in backups are protected by the

PKCS#12 and the backup file encryption. The passwords that are used to open the PKCS#12 private-keys

are protected with the backup encryption.

EAP-TLS Flow in ACS 5.4

An EAP-TLS server exchanges data with a client by using packets based on the EAP Request and

response packets; the packets are extended by specific EAP-TLS data. ACS acts as the EAP-TLS server

and uses the Open Secure Sockets Layer (OpenSSL/CiscoSSL) library to process the TLS conversation.

The ACS EAP-TLS server produces 128-bit MPPE send and receive keys that are used for encrypted

communication between the client and server.

The ACS EAP-TLS server sends MPPE keys to the client in vendor-specific RADIUS attribute (26) by

using vendor code Microsoft (311), and attributes MS-MPPE-Send-Key (16) and MS-MPPE-Recv-Key

(17).

Figure B-2 shows the EAP-TLS processing flow between the host, network device, and ACS EAP-TLS

server when the stateless session resume option is not used.

FigureB-2 EAP-TLS Flow

1A host connects to the network. The network device

sends an EAP Request to the host.

2The host sends an EAP Response to the network device;

the network device embeds the EAP packet that it

received from the host into a RADIUS Access-Request

and sends it to ACS.

3ACS negotiates the EAP method for authentication. The

server and client must reach agreement to use EAP-TLS

(EAP Request method 13) during EAP method

negotiation to instantiate EAP-TLS authentication.

4The client (host) and server (ACS) exchange certificates;

this exchange involves several messages.

EAP-TLS authentication is successful after the client and

server have authenticated each other, and each side is

aware that the other side has authenticated them.

5ACS returns an EAP Success (or EAP Failure) message

to the host and returns a RADIUS Access-Accept (or

RADIUS Access-Reject) that includes session keys to the

network device.

X.25 Host

Host

Network device ACS EAP-TLS

server

1

2

3

4

5

204584