Filter
Top Products
B-27
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-FAST
To enable ACS to perform EAP-FAST authentication:
Step 1 Configure an identity store that supports EAP-FAST authentication.
To determine which identity stores support EAP-FAST authentication, see Authentication Protocol and
Identity Store Compatibility, page B-35. For information about configuring identity stores, see
Chapter 8, “Managing Users and Identity Stores”
Step 2 Determine master key generation and PAC TTL values.
For information about how master key generation and PAC TTL values determine whether PAC
provisioning or PAC refreshing is required, see Master Key Generation and PAC TTLs, page B-26.
Step 3 Determine whether you want to use automatic or manual PAC provisioning.
For more information about the two means of PAC provisioning, see Automatic In-Band PAC
Provisioning, page B-23, and Manual PAC Provisioning, page B-24.
We recommend that you limit the use of Automatic In-Band PAC Provisioning to initial deployments of
EAP-FAST, before you use manual PAC provisioning for adding small numbers of new end-user clients
to your network and replacing PACs based on expired master keys.
Step 4 Using the decisions during Step 2 and Step 3, enable EAP-FAST in the Global Systems Options drawer.
See EAP-FAST, page B-18 for more information.
ACS is ready to perform EAP-FAST authentication.
Note Inner-identity will not be logged when: the workstation not allowed error appears, the SSL
Handshake fails, EAP-PAC is provisioned, and ACS receives an invalid PAC.
Related Topics
• Managing Internal Identity Stores, page 8-4
• Managing External Identity Stores, page 8-22
EAP-FAST PAC Management
The EAP-FAST master-key in ACS is used to encrypt or decrypt, sign and authenticate the PACs and
PAC-Opaque's that are used by EAP-FAST to store server opaque data by a supplicant. EAP-FAST
requires a distributed mechanism by which each server in the ACS domain is able to pack and unpack
PACs securely, including those which were packed on a different server.
The EAP-FAST master-key must have a common secret that is known to all servers in the ACS domain.
The master-key is periodically refreshed and keys are replaced securely and synchronized by all ACS
servers. The keys are generated of high entropy to comply with strong cryptographic standards such as
FIPS-140.
In previous versions of ACS, the master-key was distributed by the ACS distribution mechanism and was
replaced from time to time to improve the security of those keys. ACS 5.3 introduces a new scheme that
provides simplicity, correctness, robustness, and security for master -key distribution.
The ACS EAP-FAST new distribution scheme contains a secure way of distributing the common
seed-key, from which each ACS server can deterministically derive the same set of master-keys. Each
PAC contains the information that the master-key was derived from, and each server can securely
reconstruct the master-key that encrypted and signed the PAC.