Cisco Systems OL-24201-01 PEAPv0/1

B-14

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

PEAPv0/1

Note All communication between the host and ACS goes through the network device.

EAP-TLS authentication fails if the:

•Server fails to verify the client’s certificate, and rejects EAP-TLS authentication.

•Client fails to verify the server’s certificate, and rejects EAP-TLS authentication.

Certificate validation fails if the:

–

Certificate has expired.

–

Server or client cannot find the certificate issuer.

–

Signature check failed.

•The client dropped cases resulting in malformed EAP packets.

EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature

for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS

configuration includes a session timeout period, ACS caches each TLS session for the duration of the

timeout period.

When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes an

EAP-TLS session, and the user reauthenticates by a TLS handshake only, without a certificate

comparison.

PEAPv0/1

This section contains the following topics:

•Overview of PEAP, page B-15

•EAP-MSCHAPv2, page B-30

ACS 5.3 supports these PEAP supplicants:

•Microsoft Built-In Clients 802.1x XP (PEAPv0 only)

•Microsoft Built-In Clients 802.1x Vista (PEAPv0 only)

•Microsoft Built-In Clients 802.1x Windows 7

•CSSC v.4.0

•CSSC v.5

•Funk Odyssey access client (latest version)

•Intel Supplicant 12.4.x