Filter
Top Products
B-24
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-FAST
To control whether ACS performs Automatic In-Band PAC Provisioning, use the options on the Global
System Options pages in the System Administration drawer. For more information, see EAP-FAST,
page B-18.
Manual PAC Provisioning
Manual PAC provisioning requires an ACS administrator to generate PAC files, which must then be
distributed to the applicable network users. Users must configure end-user clients with their PAC files.
You can use manual PAC provisioning to control who can use EAP-FAST to access your network. If you
disable Automatic In-Band PAC Provisioning, any EAP-FAST user who is not provisioned with a PAC
will not be able to access the network.
If your ACS deployment includes network segmentation, wherein a separate ACS controls access to each
network segment, manual PAC provisioning enables you to grant EAP-FAST access on a per-segment
basis.
For example, if your company uses EAP-FAST for wireless access in its Chicago and Boston offices and
the Cisco Aironet Access Points at each of these two offices are configured to use different ACSs, you
can determine, on a per-employee basis, whether Boston employees visiting the Chicago office can have
wireless access.
While the administrative overhead of manual PAC provisioning is much greater than that of automatic
in-band PAC provisioning, it does not risk sending the PAC over the network. Although manually
provisioning the PACs requires a lot of effort early on, in configuring many end-user clients during the
initial deployment, this type of provisioning is the most secure means for distributing PACs.
We recommend that, after a large EAP-FAST deployment, you manually perform PAC provisioning to
ensure the highest security for PACs.
You can generate PAC files for specific usernames. You can also generate a PAC for a machine and
provision the PAC manually to the client.
The following parameters are required to create a PAC:
• Specifying whether it is a user or machine PAC.
• Identity stored in Internal Identity Store ID field.
• PAC Time to Live (TTL).
• PAC encryption on or off, and password for encryption.
The PAC could be encrypted with the specified password by using the RC4 or AES algorithm. The
detailed decryption algorithm must be provided to the client to allow decryption of the manually received
PAC data.
ACS-Supported Features for PACs
ACS 5.3 support these features for PACs.
Machine PAC Authentication
Machine PAC-based authentication allows the machine to gain restricted network access before user
authentication.
Proactive PAC Update
ACS proactively provides a new PAC to the client after successful authentication when a configured
percentage of the PAC TTL remains. The tunnel PAC update is initiated by the server after the first
successful authentication that is performed before the PAC expiration.