B-24
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-FAST
The various means by which an end-user client can receive PACs are:
PAC provisioning—Required when an end-user client has no PAC. For more information about how
master-key and PAC states determine whether PAC provisioning is required, see Master Key
Generation and PAC TTLs, page B-27.
The two supported means of PAC provisioning are:
Automatic In-Band PAC Provisioning—Sends a PAC by using a secure network connection.
For more information, see Automatic In-Band PAC Provisioning, page B-24.
Manual provisioning—Requires that you use ACS to generate a PAC file for the user, copy the
PAC file to the computer that is running the end-user client, and import the PAC file into the
end-user client. For more information, see Manual PAC Provisioning, pageB-25.
PAC ref res h—Occurs based on the value you specify in the Proactive PAC Update When field. For
more information about how master-key and PAC states determine whether a PAC is refreshed, see
Master Key Generation and PAC TTLs, pageB-27.
PACs have the following two states, which the PAC TTL setting determines:
Active—A PAC younger than the PAC TTL is considered active and can be used to complete
EAP-FAST phase one.
Expired—A PAC that is older than the PAC TTL is considered expired.At the end of EAP-FAST
phase two, ACS generates a new PAC for the user and provides it to the end-user client.
Automatic In-Band PAC Provisioning
Automatic In-Band PAC Provisioning, which is the same as EAP-FAST phase zero, sends a new PAC to
an end-user client over a secured network connection. Automatic In-Band PAC Provisioning requires no
intervention of the network user or an ACS administrator, provided that you configure ACS and the
end-user client to support Automatic In-Band PAC Provisioning.
Note Given that ACS associates each user with a single identity store, the use of Automatic In-Band PAC
Provisioning requires that EAP-FAST users be authenticated with an identity store that is compatible
with EAP-FAST phase zero. For the databases with which ACS can support EAP-FAST phase zero and
phase two, see Authentication Protocol and Identity Store Compatibility, pageB-36.
In general, phase zero of EAP-FAST does not authorize network access. In this gene ral case, after the
client has successfully performed phase zero PAC provisioning, the client must send a new EAP-FAST
request in order to begin a new round of phase one tunnel establishme nt, followed by phase two
authentication.
However, if you choose the Accept Client on Authenticated Provisioning option, ACS sends a RADIUS
Access-Accept (that contains an EAP Success) at the end of a successful phase zero PAC provisioning,
and the client is not forced to reauthenticate again. This option can be enabled only when the Allow
Authenticated In-Band PAC Provisioning option is also enabled.
Because transmission of PACs in phase zero is secured by MSCHAPv2 authentication, when
MSCHAPv2 is vulnerable to dictionary attacks, we recommend that you limit use of Automatic In-Band
PAC Provisioning to initial deployment of EAP-FAST.
After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest
security for PACs. For more information about manual PAC provisioning, see Manual PAC Provisioning,
page B-25.