Cisco Systems CSACS3415K9 Manual De Usuario
B-18
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Appendix B Authentication in ACS 5.4
PEAPv0/1
Figure B-3
PEAP Processing Flow
Creating the TLS Tunnel
The following describes the process for creating the TLS tunnel:
271629
Phase 1
Phase 2
User authentication credentials are sent
through TLS Tunnel again using EAP.
Client authenticates the server certificate.
TLS Tunnel is created
Client gets network access
AP gets encryption keys
RADIUS Server authenticates
to user repository.
1
After creating a logical link, the wireless AP sends an
EAP-Request/Identity message to the wireless client.
EAP-Request/Identity message to the wireless client.
2
The wireless client responds with an
EAP-Response/Identity message that contains the
identity (user or computer name) of the wireless client.
EAP-Response/Identity message that contains the
identity (user or computer name) of the wireless client.
3
The wireless AP sends the EAP-Response/Identity
message to ACS. From this point on, the logical
communication occurs between ACS and the wireless
client by using the wireless AP as a pass-through device.
message to ACS. From this point on, the logical
communication occurs between ACS and the wireless
client by using the wireless AP as a pass-through device.
4
ACS sends an EAP-Request/Start PEAP message to the
wireless client.
wireless client.
5
The wireless client and ACS exchange a series of TLS
messages through which the cipher suite for the TLS
channel is negotiated. In ACS 5.4, the client certificate is
not used in PEAP.
messages through which the cipher suite for the TLS
channel is negotiated. In ACS 5.4, the client certificate is
not used in PEAP.
6
At the end of the PEAP negotiation, ACS has
authenticated itself to the wireless client. Both nodes
have determined mutual encryption and signing keys (by
using public key cryptography, not passwords) for the
TLS channel.
authenticated itself to the wireless client. Both nodes
have determined mutual encryption and signing keys (by
using public key cryptography, not passwords) for the
TLS channel.