B-23
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-FAST
Provisioning Modes
ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates
inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key
agreement.
To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside
of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's
credentials within the protected tunnel. The information contained in the PAC is also available for further
authentication sessions after the inner EAP method has completed.
EAP-FAST has been enhanced to support an authenticated tunnel (by using the server c ertificate) inside
which PAC provisioning occurs. The new cipher suites that are enhanc ements to EAP-FAST, and
specifically the server certificate, are used.
At the end of a provisioning session that uses an authen ticated tunnel, network access can be granted
because the server and user have authenticated each other.
ACS supports the following EAP methods inside the tunnel for provisioning:
EAP-MSCHAPv2
EAP-GTC
By default, when you use EAP-MSCHAP inner methods, ACS allows authentication attempts up to the
specified value you configured on the Service page inside the TLS tunnel if the initial authentication
attempt fails. After the fourth failed authentication attempt inside the SSL tunnel, ACS terminates the
EAP conversation, resulting in a RADIUS Access-Reject.
ACS supports issuing an out-of-band PAC file that allows you to generate a PAC that can be downloaded
to ACS.
Types of PACs
ACS supports the following types of PACs:
Tunnel v1 and v1a
SGA
Machine
Authorization
ACS provisions supplicants with a PAC that contains a shared secret that is used in building a TLS tunnel
between the supplicant and ACS. ACS provisions supplicants with PACs that have a wider contextual
use.
The following types of PACs are provisioned to ACS, as per server policies:
Tunnel/Machine PAC—Contains user or machine information, but no policy information.
User Authorization PAC—Contains policy elements (for example, inner method used for user
authentication). You can use the User Authorization PACs to allow a stateless server session to
resume, as described in Session Resume, pageB-16.