B-16
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
PEAPv0/1
Fast Reconnect, page B-16
Session Resume, page B-16
Protected Exchange of Arbitrary Parameters, page B-17
Cryptobinding TLV Extension, page B-17
Server Authenticated and Unauthenticated Tunnel Establishment Modes
Tunnel establishment helps prevent an attacker from injecting packets between the client and the
network access server (NAS) or, to allow negotiation of a less secure EAP method. The encrypted TLS
channel also helps prevent denial of service attacks against the ACS.
A client EAP message is always carried in the RADIUS Access-Request message, and the server EAP
message is always carried in the RADIUS Access-Challe nge message. The EAP Success message is
always carried in RADIUS Access-Accept message.
The EAP Failure message is always carried in the RADIUS Access-Reject message. The client's PEAP
message may cause the RADIUS client's message to drop unless the policy component is configured
otherwise.
Fast Reconnect
When a session resumes, another method of decreasing the authentication time is to skip the inner
method, also known as fast reconnect. After a tunnel is built, the authentication flow goes directly to
exchange authentication information with a Result TLV Success (v0)/tunneled EAP Success message for
successful authentication and an EAP Failure message in case of unsuccessful authentication.
You can configure ACS to enable the fast reconnect option. After successful authentication, the client is
able to perform a fast reconnect during a certain timeframe. PEAP fast reconnect reduces the delay in
the time between an authentication request by a clie nt and the response by ACS.
Fast reconnect also allows wireless clients to move between access points without repeated requests for
authentication, which reduces resource requirements for the client and the server.
The user identity and the protocol used for user authentication (inner method) should be cache d along
with the TLS session to allow fast reconnect.
Session Resume
ACS supports a session resume feature for PEAP-authenticated user sessions. When this feature is
enabled, ACS caches the TLS session that is created during phase one of PEAP authentication, provided
that the user successfully authenticates in phase two of PEAP.
If a user needs to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS
session, resulting in faster PEAP performance and a lessened AAA server load.
ACS stores the session in the cache after a successful full authentication. A client may try to resume the
same session during a specific timeframe. A server certificate is not presented and the tunnel is built by
using the session information from the OpenSSL/CiscoSSL session cache. The authentication flow then
goes directly to the inner method.
If a client attempts to perform session resume but the timeout elapsed, ACS reverts to the full
authentication flow.
You can configure the session resume and timeout values.