Appendix B Authentication in ACS 5.3

PEAPv0/1

Note All communication between the host and ACS goes through the network device.

EAP-TLS authentication fails if the:

Server fails to verify the client’s certificate, and rejects EAP-TLS authentication.

Client fails to verify the server’s certificate, and rejects EAP-TLS authentication. Certificate validation fails if the:

Certificate has expired.

Server or client cannot find the certificate issuer.

Signature check failed.

The client dropped cases resulting in malformed EAP packets.

EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS configuration includes a session timeout period, ACS caches each TLS session for the duration of the timeout period.

When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes an EAP-TLS session, and the user reauthenticates by a TLS handshake only, without a certificate comparison.

Related Topics

Types of PACs, page B-22

User Certificate Authentication, page B-6

PEAPv0/1

This section contains the following topics:

Overview of PEAP, page B-15

EAP-MSCHAPv2, page B-30

ACS 5.3 supports these PEAP supplicants:

Microsoft Built-In Clients 802.1x XP (PEAPv0 only)

Microsoft Built-In Clients 802.1x Vista (PEAPv0 only)

Microsoft Built-In Clients 802.1x Windows 7

CSSC v.4.0

CSSC v.5

Funk Odyssey access client (latest version)

Intel Supplicant 12.4.x

 

User Guide for Cisco Secure Access Control System 5.3

B-14

OL-24201-01

Page 594
Image 594
Cisco Systems OL-24201-01 manual PEAPv0/1, Overview of PEAP, page B-15 EAP-MSCHAPv2, page B-30