10-5
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
Note If you use certificate binary comparison, the user certificate must be
stored in a binary format. Also, for generic LDAP and Active
Directory, the attribute storing the certificate must be the standard
LDAP attribute named “usercertificate”.
When you set up EAP-TLS, you can select the criterion (one, two, or all) that
Cisco Secure ACS uses. For more information, see Configuring Authentication
Options, page 10-33.
Cisco Secure ACS supports a session resume feature for EAP-TLS-authenticated
user sessions, a particularly useful feature for WLANs, wherein a user may move
the client computer so that a different wireless access point is in use. When this
feature is enabled, Cisco Secure ACS caches the TLS session created during
EAP-TLS authentication, provided that the user successfully authenticates. If a
user needs to reconnect and the original EAP-TLS session has not timed out,
Cisco Secure ACS uses the cached TLS session, resulting in faster EAP-TLS
performance and lessened AAA server load. When Cisco Secure ACS resumes an
EAP-TLS session, the user reauthenticates by SSL handshake only, without a
certificate comparison.
In effect, enabling EAP-TLS session resume allows Cisco Secure ACS to trust a
user based on the cached TLS session from the original EAP-TLS authentication.
Because Cisco Secure ACS only caches a TLS session when a new EAP-TLS
authentication succeeds, the existence of a cached TLS session is proof that the
user has successfully authenticated within the number of minutes defined by the
EAP-TLS session timeout option.
Note Session timeout is based on the time of the initial, full authentication of the
session. It is not dependent upon an accounting start message.
Changes to group assignment in an external user database are not enforced by the
session resume feature. This is because group mapping does not occur when a user
session is resumed. Instead, the user is mapped to the same Cisco Secure ACS
group that the user was mapped to upon the beginning of the session. Upon the
start of a new session, group mapping enforces the new group assignment.