Appendix B Authentication in ACS 5.3

EAP-FAST

To enable ACS to perform EAP-FAST authentication:

Step 1 Configure an identity store that supports EAP-FAST authentication.

To determine which identity stores support EAP-FAST authentication, see Authentication Protocol and Identity Store Compatibility, page B-35. For information about configuring identity stores, see Chapter 8, “Managing Users and Identity Stores”

Step 2 Determine master key generation and PAC TTL values.

For information about how master key generation and PAC TTL values determine whether PAC provisioning or PAC refreshing is required, see Master Key Generation and PAC TTLs, page B-26.

Step 3 Determine whether you want to use automatic or manual PAC provisioning.

For more information about the two means of PAC provisioning, see Automatic In-Band PAC

Provisioning, page B-23, and Manual PAC Provisioning, page B-24.

We recommend that you limit the use of Automatic In-Band PAC Provisioning to initial deployments of EAP-FAST, before you use manual PAC provisioning for adding small numbers of new end-user clients to your network and replacing PACs based on expired master keys.

Step 4 Using the decisions during Step 2 and Step 3, enable EAP-FAST in the Global Systems Options drawer. See EAP-FAST, page B-18for more information.

ACS is ready to perform EAP-FAST authentication.

Note Inner-identity will not be logged when: the workstation not allowed error appears, the SSL Handshake fails, EAP-PAC is provisioned, and ACS receives an invalid PAC.

Related Topics

Managing Internal Identity Stores, page 8-4

Managing External Identity Stores, page 8-22

EAP-FAST PAC Management

The EAP-FAST master-key in ACS is used to encrypt or decrypt, sign and authenticate the PACs and PAC-Opaque's that are used by EAP-FAST to store server opaque data by a supplicant. EAP-FAST requires a distributed mechanism by which each server in the ACS domain is able to pack and unpack PACs securely, including those which were packed on a different server.

The EAP-FAST master-key must have a common secret that is known to all servers in the ACS domain. The master-key is periodically refreshed and keys are replaced securely and synchronized by all ACS servers. The keys are generated of high entropy to comply with strong cryptographic standards such as FIPS-140.

In previous versions of ACS, the master-key was distributed by the ACS distribution mechanism and was replaced from time to time to improve the security of those keys. ACS 5.3 introduces a new scheme that provides simplicity, correctness, robustness, and security for master -key distribution.

The ACS EAP-FAST new distribution scheme contains a secure way of distributing the common seed-key, from which each ACS server can deterministically derive the same set of master-keys. Each PAC contains the information that the master-key was derived from, and each server can securely reconstruct the master-key that encrypted and signed the PAC.

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

 

OL-24201-01

 

 

B-27

 

 

 

 

 

Page 607
Image 607
Cisco Systems OL-24201-01 manual EAP-FAST PAC Management