10-9
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
PEAP authentications always involve two phases. In the first phase, the end-user
client authenticates Cisco Secure ACS. This requires a server certificate and
authenticates Cisco Secure ACS to the end-user client, ensuring that the user or
machine credentials sent in phase two are sent to a AAA server that has a
certificate issued by a trusted CA. The first phase uses a TLS handshake to
establish an SSL tunnel.
Note Depending on the end-user client involved, the CA certificate for the CA that
issued the Cisco Secure ACS server certificate is likely to be required in local
storage for trusted root CAs on the end-user client computer.
In phase two, Cisco Secure ACS authenticates the user or machine credentials
using an EAP authentication protocol. The EAP authentication is protected by the
SSL tunnel created in phase one. The authentication type negotiated during the
second conversation may be any valid EAP type, such as EAP-GTC (for Generic
Token Card). Because PEAP can support any EAP authentication protocol,
individual combinations of PEAP and EAP protocols are denoted with the EAP
protocol within parentheses, such as PEAP(EAP-GTC). For the authentication
protocols that Cisco Secure ACS supports in phase two of PEAP, see
Authentication Protocol-Database Compatibility, page 1-10.
One improvement in security offered by PEAP is identity protection. This is the
potential of protecting the username in all PEAP transactions. After phase one of
PEAP, all data is encrypted, including username information usually sent in clear
text. The Cisco Aironet PEAP client sends user identity through the SSL tunnel
only. The initial identity, used in phase one and which is sent in the clear, is the
MAC address of the end-user client with “PEAP_” as a prefix. The Microsoft
PEAP client does not provide identity protection; the Microsoft PEAP client
sends the username in the clear in phase one of PEAP authentication.
PEAP and Cisco Secure ACS
Cisco Secure ACS supports PEAP authentication using either the Cisco Aironet
PEAP client or the Microsoft PEAP client included with Microsoft Windows XP
Service Pack 1. Cisco Secure ACS can support the Cisco Aironet PEAP client
with PEAP(EAP-GTC) only. For the Microsoft PEAP client included with
Windows XP Service Pack 1, Cisco Secure ACS supports only
PEAP(EAP-MSCHAPv2). For information about which user databases support
PEAP protocols, see Authentication Protocol-Database Compatibility, page 1-10.