cisco acs 4.1

<html> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <META NAME="Short-Help-File" CONTENT="authenConfig/SH_EAPFAST.htm"> <TITLE>EAP FAST</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" BACKGROUND="/images/page_background.gif"> <font face="Verdana" size="1"> <A NAME="Top"><IMG SRC="/images/bb_help.gif" HSPACE=10> </A> <BLOCKQUOTE> <p><b>EAP-FAST Configuration Page</b></p> <p>Use this page to configure EAP-FAST authentication settings.</p> <LI><A HREF="#EAPFAST"><B>EAP-FAST Settings</B></A> <LI><A HREF="#CLIENT"><B>Client initial message</B></A> <LI><A HREF="#AUTHID"><B>Authority ID Info</B></A> <LI><A HREF="#ALLOWAN"><B>Allow anonymous in-band PAC provisioning</B></A> <LI><A HREF="#ALLOWAU"><B>Allow authenticated in-band PAC provisioning</B></A> <LI><A HREF="#STRIPPEDIID"><B>Allow stripped user identity on PAC provisioning</B></A> <LI><A HREF="#ALLOWMA"><B>Allow machine authentication</B></A> <LI><A HREF="#ALLOWST"><B>Allow stateless session resume</B></A> <LI><A HREF="#ALLOWIN"><B>Allowed inner methods</B></A> <LI><A HREF="#CERTC"><B>Certificate Comparison</B></A> <LI><A HREF="#EAPTLS"><B>EAP-TLS session timeout (minutes)</B></A> <LI><A HREF="#EAPMAS"><B>EAP-FAST master server</B></A> <LI><A HREF="#ACTUAL"><B>Actual EAP-FAST server status</B></A> </BLOCKQUOTE> <BLOCKQUOTE> <A NAME="EAPFAST"><B>EAP-FAST Settings</B></A> </BLOCKQUOTE> <UL> <LI><p><B>Allow EAP-FAST</B>—To enable EAP-FAST authentication, select this check box.</p></LI> <LI><P><B>Active Master Key TTL</B>&#151;Enter a value for the amount of time that a master key is used to generate new Protected Access Credentials (PACs). When the time to live (TTL) defined for the Master Key expires, the master key is considered retired and a new master key is generated.</P></LI> <LI><P><B>Retired master key TTL</B>&#151;Enter a value for the amount of time that PACs generated using a retired master key are acceptable for EAP-FAST authentication. When an end-user client gains network access using a PAC based on a retired master key, ACS sends a new PAC to the end-user client.</P></LI> <LI><P><b>Tunnel PAC TTL</b>&#151; Enter a value for the amount of time that a PAC is used before it expires and must be replaced. If the master key used to generate the Tunnel PAC has not expired, new PAC creation and assignment is automatic. If the master key used to generate the Tunnel PAC expired, automatic or manual provisioning must be used to provide the end-user client with a new PAC.</p> <p>The following table summarizes ACS behavior regarding the lifespans of PACs, master keys, retired master keys:</p> <TABLE BORDER="1" ALIGN="center" TITLE="PAC vs Master Key States"> <TR BGCOLOR="Gray"> <TD><font size="1">Master Key vs. PAC</font></TD> <TD><font size="1">PAC active</font></TD> <TD><font size="1">PAC expired</font></TD> </TR> <TR> <TD BGCOLOR="Gray"><font size="1">Master key active</font></TD> <TD><font size="1">PAC not replaced</font></TD> <TD><font size="1">New PAC sent</font></TD> </TR> <TR> <TD BGCOLOR="Gray"><font size="1">Master key retired</font></TD> <TD><font size="1">New PAC sent</font></TD> <TD><font size="1">New PAC sent</font></TD> </TR> <TR> <TD BGCOLOR="Gray"><font size="1">Master key expired</font></TD> <TD><font size="1">PAC provisioning required</font></TD> <TD><font size="1">PAC provisioning required</font></TD> </TR> </table> </LI> </UL> <p> </p> <blockquote> <A HREF="#Top">[Back to Top]</A> <p> <A NAME="CLIENT"><B>Client initial message</B></A> </p> </blockquote> <ul> <li><B>Client initial message</B> — To specify a message for users who use a Cisco EAP-FAST client, type the message in the <B>Client initial message</B> box.</li> </ul> <blockquote> <P dir="ltr"><i><B>Note:</B> A user will see the initial message only if the end-user client supports its display.</i></P> <P dir="ltr"> <A HREF="#Top">[Back to Top]</A> </P> <A NAME="AUTHID"><B>Authority ID Info</B></A> <b> <p>Authority ID Info</b>-This is the textual identity of this ACS server, which can be used by end-user to determine which ACS server to be authenticated against. This field is manadatory.</p> <p> <A HREF="#Top">[Back to Top]</A> </p> </blockquote> <UL> <A NAME="ALLOWAN"><B>Allow anonymous in-band PAC provisioning</B></A> </UL> <blockquote> <P>ACS provisions an end-user client with a PAC using EAP-FAST phase zero. If this check box is selected, ACS establishes a secured connection with the end-user client for the purpose of providing the client with a new PAC. This option allows an anonymous TLS handshake between the end-user client and ACS. EAP-MSCHAP will be used as the only inner method in phase zero.</P><P> <A HREF="#Top">[Back to Top]</A> </P> </blockquote> </LI> <blockquote> <A NAME="ALLOWAU"><B>Allow authenticated in-band PAC provisioning</B></A> <p>ACS provisions an end-user client with a PAC using EAP-FAST phase zero with SSL server-side authentication. This option requires that a server certificate and a trusted root CA are installed on ACS. One of the allowed inner methods will then be used to authenticate the user.</p> </blockquote> </P> <blockquote> <P>In addition, the client may send its certificate to the server, causing the mutual TLS authentication. In this case, ACS skips the inner methods and provisions the PAC.</P> </blockquote> <UL> <li> <b>Accept client on authenticated provisioning</b>—This option is only available when the <b>allow authenticated in-band PAC provisioning</b> option is selected. The server always sends an Access-Reject at the end of the provisioning phase,forcing the client to re-authenticate using the tunnel PAC. This option enables ACS to send an Access-Accept to the client at the end of the provisioning phase. </li> <li><b>Require client certificate for provisioning</b>—This option allows provisioning PACs basing on certificates only. Other inner EAP methods for PAC provisioning are not allowed. If the client does not present its certificate during the first TLS handshake, the server initiates a TLS re-negotiation. The re-negotiation requests the client to start a new TLS handshake protected by the cipher negotiated in the first handshake. During the second TLS handshake the server requests the client's certificate.If the certificate is not sent, the handshake fails and the user is denied access.</li> </UL> <blockquote> <p> <A HREF="#Top">[Back to Top]</A> </p> </blockquote> <UL> <A NAME="STRIPPEDIID"><B>Allow stripped user identity on PAC provisioning</B></A> <p>ACS provisions an end-user client with a PAC using EAP-FAST phase zero. If this check box is selected, ACS provisions the client with a new PAC using stripped user identity and this is to retain ACS 3.x behavior.</p> </UL> <blockquote> <p> <A HREF="#Top">[Back to Top]</A> </p> </blockquote> <p> <UL> <A NAME="ALLOWMA"><B>Allow Machine Authentication</B></A> <p>ACS provisions an end-user client with a machine PAC and performs machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by administrator (out-of-band). When ACS receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the ACS database or external databases. After these details are correctly verified, no further authentication is performed.</li> </p> </UL> <blockquote> <p><i><b>Note: </b>After performing machine authentication and when the Required or Posture Only checkboxes are </i>s<i>elected, ACS also requests the posture credentials.</i></p> </blockquote> <ul> <li> <b>Machine PAC TTL</b>—Enter a value for the amount of time that a machine PAC is acceptable for use. When