Appendix B Authentication in ACS 5.3

EAP-FAST

Authenticating with MSCHAPv2

1

3

5

7

After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with MSCHAPv2:

ACS sends an EAP-Request/Identity message.

2

The wireless client responds with an

 

 

EAP-Response/Identity message that contains the

 

 

identity (user or computer name) of the wireless client.

ACS sends an EAP-Request/EAP-MSCHAPv2 challenge

4

The wireless client responds with an

message that contains a challenge string.

 

EAP-Response/EAP-MSCHAPv2 Response message

 

 

that contains the response to the ACS challenge string

 

 

and a challenge string for ACS.

 

 

 

ACS sends an EAP-Request/EAP-MSCHAPv2 success

6

The wireless client responds with an

message, which indicates that the wireless client

 

EAP-Response/EAP-MSCHAPv2 acknowledgment

response was correct and contains the response to the

 

message, indicating that the ACS response was correct.

wireless client challenge string.

 

 

 

 

 

ACS sends an EAP-Success message.

 

 

 

 

 

At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge of the correct password (the response to the ACS challenge string), and ACS has provided proof of knowledge of the correct password (the response to the wireless client challenge string). The entire exchange is encrypted through the TLS channel created in PEAP.

Related Topics

Authentication Protocol and Identity Store Compatibility, page B-35

Configuring PEAP Settings, page 18-3

EAP-FAST

This section contains the following topics:

Overview of EAP-FAST, page B-18

EAP-FAST Flow in ACS 5.3., page B-26

EAP-FAST PAC Management, page B-27

Overview of EAP-FAST

The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a new, publicly accessible IEEE 802.1x EAP type that Cisco developed to support customers that cannot enforce a strong password policy and want to deploy an 802.1x EAP type that does not require digital certificates.

EAP-FAST supports a variety of user and password database types, password change and expiration, and is flexible, easy to deploy, and easy to manage. For more information about EAP-FAST and comparison with other EAP types, see:

http://www.cisco.com/en/US/products/hw/wireless/ps430/ products_qanda_item09186a00802030dc.shtml.

 

User Guide for Cisco Secure Access Control System 5.3

B-18

OL-24201-01

Page 597 Page 599
Page 598
Image 598
Cisco Systems OL-24201-01 manual Overview of EAP-FAST, Authenticating with MSCHAPv2
Page 597 Page 599
Top Page Image Contents