Cisco Systems CSACS3415K9 Manual De Usuario
B-28
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Appendix B Authentication in ACS 5.4
EAP-FAST
For information about how master key generation and PAC TTL values determine whether PAC
provisioning or PAC refreshing is required, see
provisioning or PAC refreshing is required, see
Step 3
Determine whether you want to use automatic or manual PAC provisioning.
For more information about the two means of PAC provisioning, see
, and
We recommend that you limit the use of Automatic In-Band PAC Provisioning to initial deployments of
EAP-FAST, before you use manual PAC provisioning for adding small numbers of new end-user clients
to your network and replacing PACs based on expired master keys.
EAP-FAST, before you use manual PAC provisioning for adding small numbers of new end-user clients
to your network and replacing PACs based on expired master keys.
Step 4
Using the decisions during
and
, enable EAP-FAST in the Global Systems Options drawer.
See
for more information.
ACS is ready to perform EAP-FAST authentication.
Note
Inner-identity will not be logged when:
the workstation not allowed
error appears, the SSL
Handshake fails, EAP-PAC is provisioned, and ACS receives an invalid PAC.
Related Topics
•
•
EAP-FAST PAC Management
The EAP-FAST master-key in ACS is used to encrypt or decrypt, sign and authenticate the PACs and
PAC-Opaque's that are used by EAP-FAST to store server opaque data by a supplicant. EAP-FAST
requires a distributed mechanism by which each server in the ACS domain is able to pack and unpack
PACs securely, including those which were packed on a different server.
PAC-Opaque's that are used by EAP-FAST to store server opaque data by a supplicant. EAP-FAST
requires a distributed mechanism by which each server in the ACS domain is able to pack and unpack
PACs securely, including those which were packed on a different server.
The EAP-FAST master-key must have a common secret that is known to all servers in the ACS domain.
The master-key is periodically refreshed and keys are replaced securely and synchronized by all ACS
servers. The keys are generated of high entropy to comply with strong cryptographic standards such as
FIPS-140.
The master-key is periodically refreshed and keys are replaced securely and synchronized by all ACS
servers. The keys are generated of high entropy to comply with strong cryptographic standards such as
FIPS-140.
In previous versions of ACS, the master-key was distributed by the ACS distribution mechanism and was
replaced from time to time to improve the security of those keys. ACS 5.4 introduces a new scheme that
provides simplicity, correctness, robustness, and security for master -key distribution.
replaced from time to time to improve the security of those keys. ACS 5.4 introduces a new scheme that
provides simplicity, correctness, robustness, and security for master -key distribution.
The ACS EAP-FAST new distribution scheme contains a secure way of distributing the common
seed-key, from which each ACS server can deterministically derive the same set of master-keys. Each
PAC contains the information that the master-key was derived from, and each server can securely
reconstruct the master-key that encrypted and signed the PAC.
seed-key, from which each ACS server can deterministically derive the same set of master-keys. Each
PAC contains the information that the master-key was derived from, and each server can securely
reconstruct the master-key that encrypted and signed the PAC.
This scheme improves the security by reducing the amount of cryptographic sensitive material that is
transmitted.
transmitted.
This section contains the following topics:
•
•
•