Manuals / Cisco Systems / Photography / Camera Accessories

Cisco Systems OL-24201-01 manual EAP-TLS Flow in ACS, Private Keys and Passwords Backup

Models: OL-24201-01

1 650
Download 650 pages 53.38 Kb
Page 593
Image 593

Appendix B Authentication in ACS 5.3

EAP-TLS

Private Keys and Passwords Backup

The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates, private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary server is also backed up with the primary's backup.

Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also can pass relatively secured in and out of the ACS servers. The private keys in backups are protected by the PKCS#12 and the backup file encryption. The passwords that are used to open the PKCS#12 private-keys are protected with the backup encryption.

EAP-TLS Flow in ACS 5.3

Figure B-2

X.25 Host

Host

An EAP-TLS server exchanges data with a client by using packets based on the EAP Request and response packets; the packets are extended by specific EAP-TLS data. ACS acts as the EAP-TLS server, and uses the Open Secure Sockets Layer (OpenSSL) library to process the TLS conversation. The ACS EAP-TLS server produces 128-bit MPPE send and receive keys that are used for encrypted communication between the client and server.

The ACS EAP-TLS server sends MPPE keys to the client in vendor-specific RADIUS attribute (26) by using vendor code Microsoft (311), and attributes MS-MPPE-Send-Key (16) and MS-MPPE-Recv-Key (17).

Figure B-2shows the EAP-TLS processing flow between the host, network device, and ACS EAP-TLS server.

EAP-TLS Flow

 

1

 

 

 

 

 

 

 

 

 

 

 

 

 

2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3

 

 

 

 

 

 

 

 

 

 

 

84

 

 

 

 

 

 

 

 

 

4

 

 

 

 

 

 

 

 

 

 

 

2045

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Network device

ACS EAP-TLS

 

 

 

 

 

 

 

 

 

 

 

server

1

A host connects to the network. The network device

2

The host sends an EAP Response to the network device;

 

sends an EAP Request to the host.

 

the network device embeds the EAP packet that it

 

 

 

received from the host into a RADIUS Access-Request

 

 

 

and sends it to ACS.

 

 

 

 

3

ACS negotiates the EAP method for authentication. The

4

The client (host) and server (ACS) exchange certificates;

 

server and client must reach agreement to use EAP-TLS

 

this exchange involves several messages.

 

(EAP Request method 13) during EAP method

 

EAP-TLS authentication is successful after the client and

 

negotiation to instantiate EAP-TLS authentication.

 

 

 

server have authenticated each other, and each side is

 

 

 

 

 

 

aware that the other side has authenticated them.

 

 

 

 

5ACS returns an EAP Success (or EAP Failure) message to the host and returns a RADIUS Access-Accept (or RADIUS Access-Reject) that includes session keys to the network device.

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

 

OL-24201-01

 

 

B-13

 

 

 

 

 

Page 592 Page 594
Page 593
Image 593
Cisco Systems OL-24201-01 manual EAP-TLS Flow in ACS, Private Keys and Passwords Backup
Page 592 Page 594