Chapter 10 Managing Access Policies

Configuring Access Services

Table 10-7

Access Service Properties—Allowed Protocols Page (continued)

 

 

 

Option

 

Description

 

 

Allow EAP-FAST

Enables the EAP-FAST authentication protocol and EAP-FAST settings. The EAP-FAST

 

 

protocol can support multiple internal protocols on the same server. The default inner method is

 

 

MSCHAPv2.

 

 

When you check Allow EAP-FAST, you can configure EAP-FAST inner methods:

Allow EAP-MSCHAPv2

Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST.

Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3.

Allow EAP-GTC

Allow Password Change—Check for ACS to support password changes in phase zero and phase two of EAP-FAST.

Retry Attempts—Specifies how many times ACS requests user credentials before returning login failure. Valid values are 1-3.

Allow TLS-Renegotiation—Check for ACS to support TLS-Renegotiation. This option allows an anonymous TLS handshake between the end-user client and ACS. EAP-MS-CHAP will be used as the only inner method in phase zero.

Use PACs—Choose to configure ACS to provision authorization PACs for EAP-FAST clients. Additional PAC Options appear.

Don’t use PACs—Choose to configure ACS to use EAP-FAST without issuing or accepting any tunnel or machine PACs. All requests for PACs are ignored and ACS responds with a Success-TLV without a PAC.

When you choose this option, you can configure ACS to perform machine authentication.

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

10-17

 

 

 

 

 

Page 281
Image 281
Cisco Systems OL-24201-01 manual 10-17