Cisco Systems OL-24201-01

10-17

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 10 Managing Access Policies

Configuring Access Services

Allow EAP-FAST Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST

protocol can support multiple internal protocols on the same server. The default inner method is

MSCHAPv2.

When you check Allow EAP-FAST, you can configure EAP-FAST inner methods:

•Allow EAP-MSCHAPv2

–

Allow Password Change—Check for ACS to support password changes in phase zero and

phase two of EAP-FAST.

–

Retry Attempts—Specifies how many times ACS requests user credentials before

returning login failure. Valid values are 1-3.

•Allow EAP-GTC

–

Allow Password Change—Check for ACS to support password changes in phase zero and

phase two of EAP-FAST.

–

Retry Attempts—Specifies how many times ACS requests user credentials before

returning login failure. Valid values are 1-3.

•Allow TLS-Renegotiation—Check for ACS to support TLS-Renegotiation. This option

allows an anonymous TLS handshake between the end-user client and ACS. EAP-MS-CHAP

will be used as the only inner method in phase zero.

•Use PACs—Choose to configure ACS to provision authorization PACs for EAP-FAST

clients. Additional PAC Options appear.

•Don’t use PACs—Choose to configure ACS to use EAP-FAST without issuing or accepting

any tunnel or machine PACs. All requests for PACs are ignored and ACS responds with a

Success-TLV without a PAC.

When you choose this option, you can configure ACS to perform machine authentication.

Table 10-7 Access Service Properties—Allowed Protocols Page (continued)

Option Description