Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

B-25

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Appendix B Authentication in ACS 5.3

EAP-FAST

The proactive PAC update time is configured for the ACS server in the Allowed Protocols Page. This

mechanism allows the client to be always updated with a valid PAC.

Note There is no proactive PAC update for Machine and Authorization PACs.

Accept Peer on Authenticated Provisioning

The peer may be authenticated during the provisioning phase.

PAC-Less Authentication

With PAC-less EAP-FAST Authentication, you can run EAP-FAST on ACS without issuing or accepting

any tunnel or machine-generated PAC. The secure tunnel may be established by using a certificate rather

than a PAC. Some PACs may be long-lived and not updated, which may cause authentication and security

problems.

When PAC-less EAP-FAST is enabled, requests for PACs are ignored. Authentication begins with

EAP-FAST phase zero and all subsequent requests for PACs are ignored. The flow moves on to

EAP-FAST phase two. ACS responds with a Success-TLV message, without a PAC.

If a client attempts to establish a tunnel with a PAC, ACS responds with a PAC Invalid message. The

tunnel establishment does not occur, and an Access-Reject is sent. The host or supplicant can reattempt

to connect.

Anonymous phase zero, also known as ADHP is not supported for PAC-less authentication since the

protocol does not support rolling over to phase two. PAC-less EAP-Fast supports configuration and does

not require a client certificate.

Table B-3 displays the different types of PACs and the authentication and authorization methods you can

use them for.

Related Topics

• About PACs, page B-21

• Provisioning Modes, page B-22

• Types of PACs, page B-22

• Master Key Generation and PAC TTLs, page B-26

Table B-3 PAC Rules Summary

PAC Type Tunnel v1/v1a/SGA Machine Authorization

Provide PAC on request on

provisioning

Yes Yes Provide PAC on request on

provisioning.

Provide PAC on request on

authentication

Yes Yes Only if the PAC was not used in

this authentication.

Proactive update Yes No No

When PAC is expired Reject, try to fall on TLS

fallback, provide a new PAC

after successful

authentication only (tunnel

PAC).

Reject, try to fall on TLS

fallback, provide a new PAC

after successful

authentication only (machine

PAC).

Reject and provide a new PAC

after successful authentication

only (authorization PAC).

Support ACS 3.x/4.x PACs For Tunnel PAC v1/v1a only Yes No

previous next