Cisco Systems OL-24201-01 manual ACS-Supported Features for PACs, Machine PAC Authentication

Appendix B Authentication in ACS 5.3

EAP-FAST

To control whether ACS performs Automatic In-Band PAC Provisioning, use the options on the Global System Options pages in the System Administration drawer. For more information, see EAP-FAST, page B-18.

Manual PAC Provisioning

Manual PAC provisioning requires an ACS administrator to generate PAC files, which must then be distributed to the applicable network users. Users must configure end-user clients with their PAC files.

You can use manual PAC provisioning to control who can use EAP-FAST to access your network. If you disable Automatic In-Band PAC Provisioning, any EAP-FAST user who is not provisioned with a PAC will not be able to access the network.

If your ACS deployment includes network segmentation, wherein a separate ACS controls access to each network segment, manual PAC provisioning enables you to grant EAP-FAST access on a per-segment basis.

For example, if your company uses EAP-FAST for wireless access in its Chicago and Boston offices and the Cisco Aironet Access Points at each of these two offices are configured to use different ACSs, you can determine, on a per-employee basis, whether Boston employees visiting the Chicago office can have wireless access.

While the administrative overhead of manual PAC provisioning is much greater than that of automatic in-band PAC provisioning, it does not risk sending the PAC over the network. Although manually provisioning the PACs requires a lot of effort early on, in configuring many end-user clients during the initial deployment, this type of provisioning is the most secure means for distributing PACs.

We recommend that, after a large EAP-FAST deployment, you manually perform PAC provisioning to ensure the highest security for PACs.

You can generate PAC files for specific usernames. You can also generate a PAC for a machine and provision the PAC manually to the client.

The following parameters are required to create a PAC:

•Specifying whether it is a user or machine PAC.

•Identity stored in Internal Identity Store ID field.

•PAC Time to Live (TTL).

•PAC encryption on or off, and password for encryption.

The PAC could be encrypted with the specified password by using the RC4 or AES algorithm. The detailed decryption algorithm must be provided to the client to allow decryption of the manually received PAC data.

ACS-Supported Features for PACs

ACS 5.3 support these features for PACs.

Machine PAC Authentication

Machine PAC-based authentication allows the machine to gain restricted network access before user authentication.

Proactive PAC Update

ACS proactively provides a new PAC to the client after successful authentication when a configured percentage of the PAC TTL remains. The tunnel PAC update is initiated by the server after the first successful authentication that is performed before the PAC expiration.