Cisco Systems OL-24201-01 Accept Peer on Authenticated Provisioning, PAC-Less Authentication, Pac

Appendix B Authentication in ACS 5.3

EAP-FAST

The proactive PAC update time is configured for the ACS server in the Allowed Protocols Page. This mechanism allows the client to be always updated with a valid PAC.

Note There is no proactive PAC update for Machine and Authorization PACs.

Accept Peer on Authenticated Provisioning

The peer may be authenticated during the provisioning phase.

PAC-Less Authentication

With PAC-less EAP-FAST Authentication, you can run EAP-FAST on ACS without issuing or accepting any tunnel or machine-generated PAC. The secure tunnel may be established by using a certificate rather than a PAC. Some PACs may be long-lived and not updated, which may cause authentication and security problems.

When PAC-less EAP-FAST is enabled, requests for PACs are ignored. Authentication begins with EAP-FAST phase zero and all subsequent requests for PACs are ignored. The flow moves on to EAP-FAST phase two. ACS responds with a Success-TLV message, without a PAC.

If a client attempts to establish a tunnel with a PAC, ACS responds with a PAC Invalid message. The tunnel establishment does not occur, and an Access-Reject is sent. The host or supplicant can reattempt to connect.

Anonymous phase zero, also known as ADHP is not supported for PAC-less authentication since the protocol does not support rolling over to phase two. PAC-less EAP-Fast supports configuration and does not require a client certificate.

Table B-3displays the different types of PACs and the authentication and authorization methods you can use them for.

Related Topics

•About PACs, page B-21

•Provisioning Modes, page B-22

•Types of PACs, page B-22

•Master Key Generation and PAC TTLs, page B-26