Cisco Systems CSACS3415K9 Manual De Usuario
B-19
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Appendix B Authentication in ACS 5.4
EAP-FAST
Authenticating with MSCHAPv2
After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with
MSCHAPv2:
MSCHAPv2:
At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge
of the correct password (the response to the ACS challenge string), and ACS has provided proof of
knowledge of the correct password (the response to the wireless client challenge string). The entire
exchange is encrypted through the TLS channel created in PEAP.
of the correct password (the response to the ACS challenge string), and ACS has provided proof of
knowledge of the correct password (the response to the wireless client challenge string). The entire
exchange is encrypted through the TLS channel created in PEAP.
Related Topics
•
•
EAP-FAST
This section contains the following topics:
•
•
•
Overview of EAP-FAST
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a new, publicly accessible
IEEE 802.1x EAP type that Cisco developed to support customers that cannot enforce a strong password
policy and want to deploy an 802.1x EAP type that does not require digital certificates.
IEEE 802.1x EAP type that Cisco developed to support customers that cannot enforce a strong password
policy and want to deploy an 802.1x EAP type that does not require digital certificates.
EAP-FAST supports a variety of user and password database types, password change and expiration, and
is flexible, easy to deploy, and easy to manage. For more information about EAP-FAST and comparison
with other EAP types, see:
is flexible, easy to deploy, and easy to manage. For more information about EAP-FAST and comparison
with other EAP types, see:
.
1
ACS sends an EAP-Request/Identity message.
2
The wireless client responds with an
EAP-Response/Identity message that contains the
identity (user or computer name) of the wireless client.
EAP-Response/Identity message that contains the
identity (user or computer name) of the wireless client.
3
ACS sends an EAP-Request/EAP-MSCHAPv2 challenge
message that contains a challenge string.
message that contains a challenge string.
4
The wireless client responds with an
EAP-Response/EAP-MSCHAPv2 Response message
that contains the response to the ACS challenge string
and a challenge string for ACS.
EAP-Response/EAP-MSCHAPv2 Response message
that contains the response to the ACS challenge string
and a challenge string for ACS.
5
ACS sends an EAP-Request/EAP-MSCHAPv2 success
message, which indicates that the wireless client
response was correct and contains the response to the
wireless client challenge string.
message, which indicates that the wireless client
response was correct and contains the response to the
wireless client challenge string.
6
The wireless client responds with an
EAP-Response/EAP-MSCHAPv2 acknowledgment
message, indicating that the ACS response was correct.
EAP-Response/EAP-MSCHAPv2 acknowledgment
message, indicating that the ACS response was correct.
7
ACS sends an EAP-Success message.