Appendix B Authentication in ACS 5.3

PEAPv0/1

Server Authenticated and Unauthenticated Tunnel Establishment Modes

Tunnel establishment helps prevent an attacker from injecting packets between the client and the network access server (NAS) or, to allow negotiation of a less secure EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the ACS.

A client EAP message is always carried in the RADIUS Access-Request message, and the server EAP message is always carried in the RADIUS Access-Challenge message. The EAP Success message is always carried in RADIUS Access-Accept message.

The EAP Failure message is always carried in the RADIUS Access-Reject message. The client's PEAP message may cause the RADIUS client's message to drop unless the policy component is configured otherwise.

Fast Reconnect

When a session resumes, another method of decreasing the authentication time is to skip the inner method, also known as fast reconnect. After a tunnel is built, the authentication flow goes directly to exchange authentication information with a Result TLV Success (v0)/tunneled EAP Success message for successful authentication and an EAP Failure message in case of unsuccessful authentication.

You can configure ACS to enable the fast reconnect option. After successful authentication, the client is able to perform a fast reconnect during a certain timeframe. PEAP fast reconnect reduces the delay in the time between an authentication request by a client and the response by ACS.

Fast reconnect also allows wireless clients to move between access points without repeated requests for authentication, which reduces resource requirements for the client and the server.

The user identity and the protocol used for user authentication (inner method) should be cached along with the TLS session to allow fast reconnect.

Session Resume

ACS supports a session resume feature for PEAP-authenticated user sessions. When this feature is enabled, ACS caches the TLS session that is created during phase one of PEAP authentication, provided that the user successfully authenticates in phase two of PEAP.

If a user needs to reconnect and the original PEAP session has not timed out, ACS uses the cached TLS session, resulting in faster PEAP performance and a lessened AAA server load.

ACS stores the session in the cache after a successful full authentication. A client may try to resume the same session during a specific timeframe. A server certificate is not presented and the tunnel is built by using the session information from the OpenSSL session cache. The authentication flow then goes directly to the inner method.

If a client attempts to perform session resume but the timeout elapsed, ACS reverts to the full authentication flow.

You can configure the session resume and timeout values.

Protected Exchange of Arbitrary Parameters

TLV tuples provide a way to exchange arbitrary information between the peer and ACS within a secure channel.

 

User Guide for Cisco Secure Access Control System 5.3

B-16

OL-24201-01

Page 596
Image 596
Cisco Systems OL-24201-01 manual Fast Reconnect