Cisco Systems OL-24201-01 manual Overview of EAP-TLS, User Certificate Authentication

Appendix B Authentication in ACS 5.3

EAP-TLS

Overview of EAP-TLS

EAP-TLS is one of the methods in the EAP authentication framework, and is based on the 802.1x and EAP architecture. Components involved in the 802.1x and EAP authentication process are the:

•Host—The end entity, or end user’s machine.

•AAA client—The network access point.

•Authentication server—ACS.

The EAP-TLS standard is described in:

•RFC 2716—PPP EAP-TLS Authentication Protocol

•RFC 3079—Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE) This section contains the following topics:

•User Certificate Authentication, page B-6

•PKI Authentication, page B-7

The host must support EAP-TLS authentication. The access point must support the EAP authentication process in the 802.1x environment (the access point is not aware of the EAP authentication protocol type).

Related Topics

•Configuring CA Certificates, page 8-68

•Certificate-Based Network Access, page 4-9

•ACS and Cisco Security Group Access, page 4-23

•EAP-TLS Flow in ACS 5.3, page B-13

User Certificate Authentication

EAP-TLS is a mutual authentication method for certificate-based authentication; the client and server authenticate each other by using digital certificates. Certificates must meet specific requirements on the server and client for successful authentication. EAP and TLS are Internet Engineering Task Force (IETF) RFC standards.

The EAP protocol carries initial authentication information, specifically the encapsulation of EAP over LANs (EAPOL) as established by IEEE 802.1x. TLS uses certificates for user authentication and dynamic ephemeral session key generation.

After the peer is authenticated and a session is created, the information is cached on ACS for a certain amount of time. The session can be re-established by using the EAP-TLS session resume, without an additional certificate exchange.

ACS 5.3 maintains the server certificate and private key in files on the ACS server, which it uses during EAP-TLS processing. You can choose the certificate authorities (CAs) that can be trusted to sign on client certificates.

EAP-TLS authentication involves two elements of trust:

•The EAP-TLS negotiation establishes end-user trust by validating, through RSA signature verifications, that the user possesses a keypair that a certificate signs.

This process verifies that the end user is the legitimate keyholder for a given digital certificate and the corresponding user identification in the certificate. However, trusting that a user possesses a certificate only provides a username-keypair binding.

User Guide for Cisco Secure Access Control System 5.3