Filter
Top Products
B-29
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP Authentication with RADIUS Key Wrap
PAC Migration from ACS 4.x
Although the configuration can be migrated from 4.x, the PACs themselves, as being stored only in
supplicants, may still be issued from versions as far back as ACS 3.x. ACS 5.3 accepts PACs of all types
according to migrated master-keys from versions 4.x and onwards, and re-issues a new 5.0 PAC, similar
to the proactive PAC update for EAP-FAST 5.0.
When ACS 5.3, accepts a PAC from either ACS 3.x or 4.x, it decrypts and authenticates the PAC
according to the 4.x master-key that was migrated from ACS 4.x configuration. The decryption and
handling of this type of PAC is similar to the way the ACS 4.x PAC was handled.
The migration process involves converting the following data-items:
• EAP-FAST A-ID of ACS (Authority ID). The parameter replaces the deployment's A-ID of ACS 5.3.
• A list of retired ACS 4.x master-keys. The list is taken from the ACS 4.x configuration and placed
in a new table in ACS 5.3. Each migrated master-key is associated with its expected time of
expiration. The table is migrated along with the master-key identifier (index) and the PAC's-cipher
assigned to each key.
EAP Authentication with RADIUS Key Wrap
You can configure ACS to use PEAP, EAP-FAST and EAP-TLS authentication with RADIUS Key Wrap.
ACS can then authenticate RADIUS messages and distribute the session key to the network access server
(NAS). The EAP session key is encrypted by using Advanced Encryption Standard (AES), and the
RADIUS message is authenticated by using HMAC-SHA-1.
Because RADIUS is used to transport EAP messages (in the EAP-Message attribute), securely
authenticating RADIUS messages ensures securely authenticated EAP message exchanges. You can use
RADIUS Key Wrap when PEAP, EAP-FAST and EAP-TLS authentication is enabled as an external
authentication method. Key Wrap is not supported for EAP-TLS as an inner method (for example, for
EAP-FAST or PEAP).
RADIUS Key Wrap support in ACS uses three new AVPs for the cisco-av-pair RADIUS
Vendor-Specific-Attribute (VSA); the TLV value of Cisco VSA is [26/9/1]):
• Random-Nonce—Generated by the NAS, it adds randomness to the key data encryption and
authentication, and links requests and response packets to prevent replay attacks.
• Key—Used for session key distribution.
• Message-Authenticator-Code—Ensures the authenticity of the RADIUS message, including the
EAP-Message and Key attributes.
While using RADIUS Key Wrap, ACS enforces the use of these three RADIUS Key Wrap AVPs for
message exchanges and key delivery. ACS will reject all RADIUS (EAP) requests that contain both
RADIUS Key Wrap AVPs and the standard RADIUS Message-Authenticator attribute.
To use RADIUS Key Wrap in PEAP, EAP-FAST and EAP-TLS authentications, you must enable the
EAP authentication with RADIUS KeyWrap in the Network Devices and AAA Clients page or Default
Network Device page.
You must also define two shared secret keys for each AAA Client. Each key must be unique and be
distinct from the RADIUS shared key. RADIUS Key Wrap does not support proxy functionality, and
should not be used with a proxy configuration.