B-14
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
PEAPv0/1
Note All communication between the host and ACS goes through the network device.
EAP-TLS authentication fails if the:
Server fails to verify the client’s certificate, and rejects EAP-TLS authentication.
Client fails to verify the server’s certificate, and rejects EAP-TLS authentication.
Certificate validation fails if the:
Certificate has expired.
Server or client cannot find the certificate issuer.
Signature check failed.
The client dropped cases resulting in malformed EAP packets.
EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature
for fast reauthentication of a user who has already passed full EAP-TLS authentica tion. If the EAP-TLS
configuration includes a session timeout period, ACS caches each TLS session for the duration of the
timeout period.
When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes the
EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.
ACS 5.4 supports EAP-TLS session resumption without session state to be stored at the server. It also
supports session ticket extension as described in RFC 5077. The ACS server creates a ticket and sends
it to an EAP-TLS client. The client presents the ticket to ACS to resume a session.
The Stateless session resumption is supported in the distributed deployment, so that a session ticket
issued by one node is accepted by another node.
The entire ticket is authenticated over its fields using a MAC with a 128-bit authentication key. The fields
are encrypted using AES-CBC with a 128-bit encryption key and IV that are found in the ticket. The
ACS administrator configures a limited lifetime for the session ticket.
Related Topics
Types of PACs, pageB-23
User Certificate Authentication, pageB-6
PEAPv0/1
This section contains the following topics:
Overview of PEAP, pageB-15
EAP-MSCHAPv2, page B-30
ACS 5.4 supports these PEAP supplicants:
Microsoft Built-In Clients 802.1x XP (PEAPv0 only)
Microsoft Built-In Clients 802.1x Vista (PEAPv0 only)
Microsoft Built-In Clients 802.1x Windows 7
CSSC v.4.0
CSSC v.5