Filter
Top Products
B-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-TLS
Private Keys and Passwords Backup
The entire ACS database is distributed and backed-up on the primary ACS along with all the certificates,
private-keys and the encrypted private-key-passwords. The private-key-password-key of the primary
server is also backed up with the primary's backup.
Other secondary ACS private-key-password-keys are not backed-up. Backups are encrypted and also can
pass relatively secured in and out of the ACS servers. The private keys in backups are protected by the
PKCS#12 and the backup file encryption. The passwords that are used to open the PKCS#12 private-keys
are protected with the backup encryption.
EAP-TLS Flow in ACS 5.3
An EAP-TLS server exchanges data with a client by using packets based on the EAP Request and
response packets; the packets are extended by specific EAP-TLS data. ACS acts as the EAP-TLS server,
and uses the Open Secure Sockets Layer (OpenSSL) library to process the TLS conversation. The ACS
EAP-TLS server produces 128-bit MPPE send and receive keys that are used for encrypted
communication between the client and server.
The ACS EAP-TLS server sends MPPE keys to the client in vendor-specific RADIUS attribute (26) by
using vendor code Microsoft (311), and attributes MS-MPPE-Send-Key (16) and MS-MPPE-Recv-Key
(17).
Figure B-2 shows the EAP-TLS processing flow between the host, network device, and ACS EAP-TLS
server.
Figure B-2 EAP-TLS Flow
1 A host connects to the network. The network device
sends an EAP Request to the host.
2 The host sends an EAP Response to the network device;
the network device embeds the EAP packet that it
received from the host into a RADIUS Access-Request
and sends it to ACS.
3 ACS negotiates the EAP method for authentication. The
server and client must reach agreement to use EAP-TLS
(EAP Request method 13) during EAP method
negotiation to instantiate EAP-TLS authentication.
4 The client (host) and server (ACS) exchange certificates;
this exchange involves several messages.
EAP-TLS authentication is successful after the client and
server have authenticated each other, and each side is
aware that the other side has authenticated them.
5 ACS returns an EAP Success (or EAP Failure) message
to the host and returns a RADIUS Access-Accept (or
RADIUS Access-Reject) that includes session keys to the
network device.
X.25 Host
Host
Network device
ACS EAP-TLS
server
1
2
3
4
5
204584