Filter
Top Products
10-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 10 Managing Access Policies
Configuring Access Services
Allow EAP-FAST
(continued)
PAC Options
•
Tunnel PAC Time To Live—The Time To Live (TTL) value restricts the lifetime of the PAC.
Specify the lifetime value and units. The default is one (1) day.
• Proactive PAC Update When: <n%> of PAC TTL is Left—The Update value ensures that the
client has a valid PAC. ACS initiates update after the first successful authentication but before
the expiration time that is set by the TTL. The Update value is a percentage of the remaining
time in the TTL. (Default: 10%)
• Allow Anonymous In-band PAC Provisioning—Check for ACS to establish a secure
anonymous TLS handshake with the client and provision it with a so-called PAC by using
phase zero of EAP-FAST with EAP-MSCHAPv2.
Note To enable Anonymous PAC Provisioning, you must choose both the inner methods,
EAP-MSCHAPv2 and EAP-GTC.
• Allow Authenticated In-band PAC Provisioning—ACS uses Secure Socket Layer (SSL)
server-side authentication to provision the client with a PAC during phase zero of EAP-FAST.
This option is more secure than anonymous provisioning but requires that a server certificate
and a trusted root CA be installed on ACS.
When you check this option, you can configure ACS to return an Access-Accept message to
the client after successful authenticated PAC provisioning.
• Allow Machine Authentication—Check for ACS to provision an end-user client with a
machine PAC and perform machine authentication (for end-user clients who do not have the
machine credentials).
The machine PAC can be provisioned to the client by request (in-band) or by administrator
(out-of-band). When ACS receives a valid machine PAC from the end-user client, the
machine identity details are extracted from the PAC and verified in the ACS external identity
store. After these details are correctly verified, no further authentication is performed.
Note ACS 5.3 only supports Active Directory as an external identity store for machine
authentication.
When you check this option, you can enter a value for the amount of time that a machine PAC
is acceptable for use. When ACS receives an expired machine PAC, it automatically
reprovisions the end-user client with a new machine PAC (without waiting for a new machine
PAC request from the end-user client).
• Enable Stateless Session Resume—Check for ACS to provision authorization PACs for
EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
Uncheck this option:
–
If you do not want ACS to provision authorization PACs for EAP-FAST clients.
–
To always perform phase two of EAP-FAST.
When you check this option, you can enter the authorization period of the user authorization
PAC. After this period the PAC expires. When ACS receives an expired authorization PAC, it
performs phase two EAP-FAST authentication.
Table 10-7 Access Service Properties—Allowed Protocols Page (continued)
Option Description