Cisco Systems 3.3 Manual De Usuario
10-25
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
Enabling EAP-FAST
This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support EAP-FAST authentication.
configure Cisco Secure ACS to support EAP-FAST authentication.
Note
End-user clients must be configured to support EAP-FAST. This procedure is
specific to configuring Cisco Secure ACS only.
specific to configuring Cisco Secure ACS only.
Before You Begin
The steps in this procedure are a suggested order only. Enabling EAP-FAST at
your site may require recursion of these steps or performing these steps in a
different order. For example, in this procedure, determining how you want to
support PAC provisioning comes after configuring a user database to support
EAP-FAST; however, choosing automatic PAC provisioning places different
limits upon user database support.
your site may require recursion of these steps or performing these steps in a
different order. For example, in this procedure, determining how you want to
support PAC provisioning comes after configuring a user database to support
EAP-FAST; however, choosing automatic PAC provisioning places different
limits upon user database support.
To enable Cisco Secure ACS to perform EAP-FAST authentication, follow these
steps:
steps:
Step 1
Configure a user database that supports EAP-FAST authentication. To determine
which user databases support EAP-FAST authentication, see
which user databases support EAP-FAST authentication, see
. For user database configuration, see
Note
User database support differs for EAP-FAST phase zero and phase two.
Cisco Secure ACS supports use of the Unknown User Policy and group mapping
with EAP-FAST, as well as password aging with Windows external user
databases.
with EAP-FAST, as well as password aging with Windows external user
databases.
Step 2
Determine master key and PAC TTL values. While changing keys and PACs more
frequently could be considered more secure, it also increases the likelihood that
PAC provisioning will be needed for machines left offline so long that the PACs
on them are based on expired master keys.
frequently could be considered more secure, it also increases the likelihood that
PAC provisioning will be needed for machines left offline so long that the PACs
on them are based on expired master keys.
Also, if you reduce the TTL values that you initially deploy EAP-FAST with, you
may force PAC provisioning to occur because users would be more likely to have
PACs based on expired master keys.
may force PAC provisioning to occur because users would be more likely to have
PACs based on expired master keys.