Cisco Systems 3.3 Manual De Usuario
10-15
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
Cisco Secure ACS supports password aging with EAP-FAST for users
authenticated by Windows user databases. Password aging can work with either
phase zero or phase two of EAP-FAST. If password aging requires a user to
change passwords during phase zero, the new password would be effective in
phase two. For more information about password aging for Windows user
databases, see
authenticated by Windows user databases. Password aging can work with either
phase zero or phase two of EAP-FAST. If password aging requires a user to
change passwords during phase zero, the new password would be effective in
phase two. For more information about password aging for Windows user
databases, see
.
About Master Keys
EAP-FAST master keys are strong secrets that Cisco Secure ACS automatically
generates and that only Cisco Secure ACS is aware of. Master keys are never sent
to an end-user client. EAP-FAST requires master keys for two purposes:
generates and that only Cisco Secure ACS is aware of. Master keys are never sent
to an end-user client. EAP-FAST requires master keys for two purposes:
•
PAC generation—Cisco Secure ACS generates PACs using the active master
key. For details about PACs, see
key. For details about PACs, see
•
EAP-FAST phase one—Cisco Secure ACS determines whether the PAC
presented by the end-user client was generated by one of the master keys it is
aware of, either the active master key or a retired master key.
presented by the end-user client was generated by one of the master keys it is
aware of, either the active master key or a retired master key.
To increase the security of EAP-FAST, Cisco Secure ACS changes the master key
that it uses to generate PACs. Cisco Secure ACS uses time-to-live (TTL) values
you define to determine when it generates a new master key and to determine the
age of all master keys. Based on TTL values, Cisco Secure ACS assigns master
keys one of the three following states:
that it uses to generate PACs. Cisco Secure ACS uses time-to-live (TTL) values
you define to determine when it generates a new master key and to determine the
age of all master keys. Based on TTL values, Cisco Secure ACS assigns master
keys one of the three following states:
•
Active—An active master key is the master key used by Cisco Secure ACS to
generate PACs. The duration that a master key remains active is determined
by the Master key TTL setting. At any time, only one master key is active.
When you define TTLs for master keys and PACs, Cisco Secure ACS permits
only a PAC TTL that is shorter than the active master key TTL. This limitation
ensures that a PAC is refreshed at least once before the expiration of the
master key used to generate the PAC, provided that EAP-FAST users log in
to the network at least once before the master key expires. For more
information about how TTL values determine whether PAC refreshing or
provisioning is required, see
generate PACs. The duration that a master key remains active is determined
by the Master key TTL setting. At any time, only one master key is active.
When you define TTLs for master keys and PACs, Cisco Secure ACS permits
only a PAC TTL that is shorter than the active master key TTL. This limitation
ensures that a PAC is refreshed at least once before the expiration of the
master key used to generate the PAC, provided that EAP-FAST users log in
to the network at least once before the master key expires. For more
information about how TTL values determine whether PAC refreshing or
provisioning is required, see
.
When Cisco Secure ACS is configured to receive replicated EAP-FAST
policies and master keys, a backup master key is among the master keys
received. The backup master key is used only if the active master key retires
policies and master keys, a backup master key is among the master keys
received. The backup master key is used only if the active master key retires