Cisco Systems OL-24201-01 manual Provisioning Modes, Types of PACs

Appendix B Authentication in ACS 5.3

EAP-FAST

Provisioning Modes

ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key agreement.

To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials within the protected tunnel. The information contained in the PAC is also available for further authentication sessions after the inner EAP method has completed.

EAP-FAST has been enhanced to support an authenticated tunnel (by using the server certificate) inside which PAC provisioning occurs. The new cipher suites that are enhancements to EAP-FAST, and specifically the server certificate, are used.

At the end of a provisioning session that uses an authenticated tunnel, network access can be granted because the server and user have authenticated each other.

ACS supports the following EAP methods inside the tunnel for provisioning:

•EAP-MSCHAPv2

•EAP-GTC

By default, when you use EAP-MSCHAP inner methods, ACS allows authentication attempts up to the specified value you configured on the Service page inside the TLS tunnel if the initial authentication attempt fails. After the fourth failed authentication attempt inside the SSL tunnel, ACS terminates the EAP conversation, resulting in a RADIUS Access-Reject.

ACS supports issuing an out-of-band PAC file that allows you to generate a PAC that can be downloaded to ACS.

Types of PACs

ACS supports the following types of PACs:

•Tunnel v1 and v1a

•SGA

•Machine

•Authorization

ACS provisions supplicants with a PAC that contains a shared secret that is used in building a TLS tunnel between the supplicant and ACS. ACS provisions supplicants with PACs that have a wider contextual use.

The following types of PACs are provisioned to ACS, as per server policies:

•Tunnel/Machine PAC—Contains user or machine information, but no policy information.

•User Authorization PAC—Contains policy elements (for example, inner method used for user authentication). You can use the User Authorization PACs to allow a stateless server session to resume, as described in Session Resume, page B-16.