Cisco Systems 3.3 Manual De Usuario
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup
10-28
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
session timeout (minutes) box, selecting the Enable Fast Reconnect
check box has no effect on PEAP authentication and phase two of PEAP
authentication always occurs.
check box has no effect on PEAP authentication and phase two of PEAP
authentication always occurs.
•
EAP-FAST—You can configure the following options for EAP-FAST:
–
Allow EAP-FAST—Whether Cisco Secure ACS permits EAP-FAST
authentication.
authentication.
Note
If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet) device,
one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be
enabled on the Global Authentication Setup page; otherwise, Cisco
Aironet users cannot authenticate.
Network Configuration section as a RADIUS (Cisco Aironet) device,
one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be
enabled on the Global Authentication Setup page; otherwise, Cisco
Aironet users cannot authenticate.
–
Master Key TTL—The duration that a master key is used to generate
new PACs. When the master key becomes older than the master key TTL,
Cisco Secure ACS retires the master key and generates a new master key.
The default master key TTL is one month.
new PACs. When the master key becomes older than the master key TTL,
Cisco Secure ACS retires the master key and generates a new master key.
The default master key TTL is one month.
Note
Decreasing the master key TTL can cause retired master keys to
expire because a master key expires when it is older than the sum of
the master key TTL and the retired master key TTL; therefore,
decreasing the master key TTL requires PAC provisioning for
end-user clients with PACs based on the newly expired master keys.
expire because a master key expires when it is older than the sum of
the master key TTL and the retired master key TTL; therefore,
decreasing the master key TTL requires PAC provisioning for
end-user clients with PACs based on the newly expired master keys.
For more information about master keys, see
–
Retired master key TTL—The duration that PACs generated using a
retired master key are acceptable for EAP-FAST authentication. In other
words, the retired master key TTL defines the length of the grace period
during which PACs generated with a master key that is no longer active
are acceptable. When an end-user client gains network access using a
PAC based on a retired master key, Cisco Secure ACS sends a new PAC
to the end-user client. The default retired master key TTL is three
months.
retired master key are acceptable for EAP-FAST authentication. In other
words, the retired master key TTL defines the length of the grace period
during which PACs generated with a master key that is no longer active
are acceptable. When an end-user client gains network access using a
PAC based on a retired master key, Cisco Secure ACS sends a new PAC
to the end-user client. The default retired master key TTL is three
months.
When a retired master key ages past the retired master key TTL, it expires
and Cisco Secure ACS deletes it.
and Cisco Secure ACS deletes it.