Cisco Systems CSACS3415K9 PEAPv0/1

B-14

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

AppendixB Authentication in ACS 5.4

PEAPv0/1

Note All communication between the host and ACS goes through the network device.

EAP-TLS authentication fails if the:

•Server fails to verify the client’s certificate, and rejects EAP-TLS authentication.

•Client fails to verify the server’s certificate, and rejects EAP-TLS authentication.

Certificate validation fails if the:

–

Certificate has expired.

–

Server or client cannot find the certificate issuer.

–

Signature check failed.

•The client dropped cases resulting in malformed EAP packets.

EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature

for fast reauthentication of a user who has already passed full EAP-TLS authentica tion. If the EAP-TLS

configuration includes a session timeout period, ACS caches each TLS session for the duration of the

timeout period.

When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes the

EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

ACS 5.4 supports EAP-TLS session resumption without session state to be stored at the server. It also

supports session ticket extension as described in RFC 5077. The ACS server creates a ticket and sends

it to an EAP-TLS client. The client presents the ticket to ACS to resume a session.

The Stateless session resumption is supported in the distributed deployment, so that a session ticket

issued by one node is accepted by another node.

The entire ticket is authenticated over its fields using a MAC with a 128-bit authentication key. The fields

are encrypted using AES-CBC with a 128-bit encryption key and IV that are found in the ticket. The

ACS administrator configures a limited lifetime for the session ticket.