B-30
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP Authentication with RADIUS Key Wrap
A list of retired ACS 4.x master-keys. The list is taken from the ACS 4.x configuration and placed
in a new table in ACS 5.4. Each migrated master-key is associated with its expected time of
expiration. The table is migrated along with the master-key identifier (index) and the PAC's-cipher
assigned to each key.
EAP Authentication with RADIUS Key Wrap
You can configure ACS to use PEAP, EAP-FAST and EAP-TLS authentication with RADIUS Key Wrap.
ACS can then authenticate RADIUS messages and distribute the session key to the network access server
(NAS). The EAP session key is encrypted by using Advanced Encryption Standard (AES), and the
RADIUS message is authenticated by using HMAC-SHA-1.
Because RADIUS is used to transport EAP messages (in the EAP-Message attribute), securely
authenticating RADIUS messages ensures securely authenticated EAP message exchanges. You can use
RADIUS Key Wrap when PEAP, EAP-FAST and EAP-TLS authentication is enabled as an external
authentication method. Key Wrap is not supported for EAP-TLS as an inner method (for example, for
EAP-FAST or PEAP).
RADIUS Key Wrap support in ACS uses three new AVPs for the cisco-av-pair RADIUS
Vendor-Specific-Attribute (VSA); the TLV value of Cisco VSA is [26/9/1]):
Random-Nonce—Generated by the NAS, it adds randomness to the key data encryption and
authentication, and links requests and response packets to prevent replay attacks.
Key—Used for session key distribution.
Message-Authenticator-Code—Ensures the authenticity of the RADIUS message, including the
EAP-Message and Key attributes.
While using RADIUS Key Wrap, ACS enforces the use of these three RADIU S Key Wrap AVPs for
message exchanges and key delivery. ACS will reject all RADIUS (EAP) requests that contain both
RADIUS Key Wrap AVPs and the standard RADIUS Message-Authenticator attribute.
To use RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS authentications, you must enable the
EAP authentication with RADIUS KeyWrap in the Network Devices and AAA Clients page or Default
Network Device page.
You must also define two shared secret keys for each AAA Client. Each key must be unique and be
distinct from the RADIUS shared key. RADIUS Key Wrap does not support proxy functionality, and
should not be used with a proxy configuration.
EAP-MSCHAPv2
Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) provides two-way
authentication, also known as mutual authentication. The remote access client receives verification that
the remote access server that it is dialing in to has access to the user's password.
This section contains the following topics:
Overview of EAP-MSCHAPv2, page B-31
EAP- MSCHAPv2 Flow in ACS 5.4, page B-32