Filter
Top Products
B-17
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
PEAPv0/1
PEAP Flow in ACS 5.3
The PEAP protocol allows authentication between ACS and the peer by using the PKI-based secure
tunnel establishment and the EAP-MSCHAPv2 protocol as the inner method inside the tunnel. The local
certificate can be validated by the peer (server-authenticated mode) or not validated
(server-unauthenticated mode).
This section contains:
• Creating the TLS Tunnel, page B-17
• Authenticating with MSCHAPv2, page B-18
Figure B-3 shows the PEAP processing flow between the host, access point, network device, and ACS
EAP-TLS server.
Figure B-3 PEAP Processing Flow
Creating the TLS Tunnel
The following describes the process for creating the TLS tunnel:
271629
Phase 1
Phase 2
User authentication credentials are sent
through TLS Tunnel again using EAP.
Client authenticates the server certificate.
TLS Tunnel is created
Client gets network access AP gets encryption keys
RADIUS Server authenticates
to user repository.
1 After creating a logical link, the wireless AP sends an
EAP-Request/Identity message to the wireless client.
2 The wireless client responds with an
EAP-Response/Identity message that contains the
identity (user or computer name) of the wireless client.
3 The wireless AP sends the EAP-Response/Identity
message to ACS. From this point on, the logical
communication occurs between ACS and the wireless
client by using the wireless AP as a pass-through device.
4 ACS sends an EAP-Request/Start PEAP message to the
wireless client.
5 The wireless client and ACS exchange a series of TLS
messages through which the cipher suite for the TLS
channel is negotiated. In ACS 5.3, the client certificate is
not used in PEAP.
6 At the end of the PEAP negotiation, ACS has
authenticated itself to the wireless client. Both nodes
have determined mutual encryption and signing keys (by
using public key cryptography, not passwords) for the
TLS channel.