Cisco Systems 3.3 Manual De Usuario
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-24
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
accepted by the secondary Cisco Secure ACS in a replication scheme where
the EAP-FAST master server setting is enabled on the secondary
Cisco Secure ACS.
the EAP-FAST master server setting is enabled on the secondary
Cisco Secure ACS.
Tip
In a replicated Cisco Secure ACS environment, use the EAP-FAST master server
feature in conjunction with disallowing automatic PAC provisioning to control
EAP-FAST access to different segments of your network. Without automatic PAC
provisioning, users must request PACs for each network segment.
feature in conjunction with disallowing automatic PAC provisioning to control
EAP-FAST access to different segments of your network. Without automatic PAC
provisioning, users must request PACs for each network segment.
•
Disabled—When the EAP-FAST master server check box is not selected,
Cisco Secure ACS continues to operate as an EAP-FAST master server until
the first time it receives replicated EAP-FAST components from the primary
Cisco Secure ACS. When “Actual EAP-FAST server status” displays the text
Cisco Secure ACS continues to operate as an EAP-FAST master server until
the first time it receives replicated EAP-FAST components from the primary
Cisco Secure ACS. When “Actual EAP-FAST server status” displays the text
Slave
, Cisco Secure ACS uses the EAP-FAST settings, Authority ID, and
master keys it receives from a primary Cisco Secure ACS during replication,
rather than using master keys it generates and its unique Authority ID.
rather than using master keys it generates and its unique Authority ID.
Note
When you deselect the EAP-FAST master server check box, the
“Actual EAP-FAST server status” remains
“Actual EAP-FAST server status” remains
Master
until Cisco Secure
ACS receives replicated EAP-FAST components and then the “Actual
EAP-FAST server status” changes to
EAP-FAST server status” changes to
Slave
. Until “Actual EAP-FAST
server status” changes to
Slave
, Cisco Secure ACS acts as a master
EAP-FAST server, using master keys it generates, its unique
Authority ID, and the EAP-FAST settings configured in its HTML
interface.
Authority ID, and the EAP-FAST settings configured in its HTML
interface.
Disabling the EAP-FAST master server setting eliminates the need for
providing a different PAC from the primary and secondary Cisco Secure
ACSes. This is because the primary and secondary Cisco Secure ACSes send
the end-user client the same Authority ID at the beginning of the EAP-FAST
transaction; therefore, the end-user client uses the same PAC in its response
to either Cisco Secure ACS. Also, a PAC generated for a user by one
Cisco Secure ACS in a replication scheme where the EAP-FAST master
server setting is disabled is accepted by all other Cisco Secure ACSes in the
same replication scheme.
providing a different PAC from the primary and secondary Cisco Secure
ACSes. This is because the primary and secondary Cisco Secure ACSes send
the end-user client the same Authority ID at the beginning of the EAP-FAST
transaction; therefore, the end-user client uses the same PAC in its response
to either Cisco Secure ACS. Also, a PAC generated for a user by one
Cisco Secure ACS in a replication scheme where the EAP-FAST master
server setting is disabled is accepted by all other Cisco Secure ACSes in the
same replication scheme.
For more information about replication, see