Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

B-22

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

EAP-FAST

Provisioning Modes

ACS supports out-of-band and in-band provisioning modes. The in-band provisioning mode operates

inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key

agreement.

To minimize the risk of exposing the user’s credentials, a clear text password should not be used outside

of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's

credentials within the protected tunnel. The information contained in the PAC is also available for further

authentication sessions after the inner EAP method has completed.

EAP-FAST has been enhanced to support an authenticated tunnel (by using the server certificate) inside

which PAC provisioning occurs. The new cipher suites that are enhancements to EAP-FAST, and

specifically the server certificate, are used.

At the end of a provisioning session that uses an authenticated tunnel, network access can be granted

because the server and user have authenticated each other.

ACS supports the following EAP methods inside the tunnel for provisioning:

• EAP-MSCHAPv2

• EAP-GTC

By default, when you use EAP-MSCHAP inner methods, ACS allows authentication attempts up to the

specified value you configured on the Service page inside the TLS tunnel if the initial authentication

attempt fails. After the fourth failed authentication attempt inside the SSL tunnel, ACS terminates the

EAP conversation, resulting in a RADIUS Access-Reject.

ACS supports issuing an out-of-band PAC file that allows you to generate a PAC that can be downloaded

to ACS.

Types of PACs

ACS supports the following types of PACs:

• Tunnel v1 and v1a

• SGA

• Machine

• Authorization

ACS provisions supplicants with a PAC that contains a shared secret that is used in building a TLS tunnel

between the supplicant and ACS. ACS provisions supplicants with PACs that have a wider contextual

use.

The following types of PACs are provisioned to ACS, as per server policies:

• Tunnel/Machine PAC—Contains user or machine information, but no policy information.

• User Authorization PAC—Contains policy elements (for example, inner method used for user

authentication). You can use the User Authorization PACs to allow a stateless server session to

resume, as described in Session Resume, page B-16.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-24201-01 Camera Accessories User Manual