Руководство По Проектированию для Cisco Cisco Cius 4G
Cisco Cius Wireless Deployment Guide
20
• Remote Lock
• Remote Wipe
• Cisco AnyConnect VPN Client
Extensible Authentication Protocol – Flexible Authentication via Secure
Tunneling (EAP-FAST)
Tunneling (EAP-FAST)
This client server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the
access point and the Remote Authentication Dial-in User Service (RADIUS) server such as the Cisco Access Control Server
(ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (Cisco Cius) and the RADIUS
server. The server sends an Authority ID (AID) to the client (Cisco Cius), which in turn selects the appropriate PAC. The client
(Cisco Cius) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints
now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must enable don
the RADIUS server.
To enable EAP-FAST, a certificate must be installed on to the RADIUS server.
access point and the Remote Authentication Dial-in User Service (RADIUS) server such as the Cisco Access Control Server
(ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (Cisco Cius) and the RADIUS
server. The server sends an Authority ID (AID) to the client (Cisco Cius), which in turn selects the appropriate PAC. The client
(Cisco Cius) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints
now have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must enable don
the RADIUS server.
To enable EAP-FAST, a certificate must be installed on to the RADIUS server.
Cisco Cius currently supports only automatic provisioning of the PAC, so enable Allow anonymous in-band PAC
provisioning on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled.
EAP-FAST requires that a user account be created on the authentication server.
provisioning on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled.
EAP-FAST requires that a user account be created on the authentication server.