Cisco Systems 3.3 Server User Manual


 
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-14
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Note Phase zero is optional and PACs can be manually provided to
end-user clients (see Manual PAC Provisioning, page 10-20). You
control whether Cisco Secure ACS supports phase zero by selecting
the Allow automatic PAC provisioning check box in the Global
Authentication Configuration page.
No network service is enabled by phase zero of EAP-FAST; therefore, even a
successful EAP-FAST phase zero transaction is recorded in the Cisco Secure
ACS Failed Attempts log.
Phase one—In phase one, Cisco Secure ACS and the end-user client
establish a TLS tunnel based upon the PAC presented by the end-user client.
This requires that the end-user client has been provided a PAC for the user
attempting to gain network access and that the PAC is based on a master key
that has not expired. The means by which PAC provisioning has occurred is
irrelevant; either automatic or manual provisioning may be used.
No network service is enabled by phase one of EAP-FAST.
Phase two—In phase two, Cisco Secure ACS authenticates the user
credentials with EAP-GTC, which is protected by the TLS tunnel created in
phase one. No other EAP types are supported for EAP-FAST. To determine
which databases support EAP-FAST phase two, see Authentication
Protocol-Database Compatibility, page 1-10.
Cisco Secure ACS authorizes network service with a successful user
authentication in phase two of EAP-FAST and logs the authentication in the
Passed Authentications log, if it is enabled. Also, if necessary, Cisco Secure
ACS may refresh the end-user client PAC, which creates a second entry in the
Passed Authentication log for the same phase two transaction.
EAP-FAST can protect the username in all EAP-FAST transactions. Cisco Secure
ACS does not perform user authentication based on a username presented in phase
one; however, whether the username is protected during phase one depends upon
the end-user client. If the end-user client does not send the real username in phase
one, the username is protected. The Cisco Aironet EAP-FAST client protects the
username in phase one by sending
FAST_MAC address in place of the username.
After phase one of EAP-FAST, all data is encrypted, including username
information usually sent in clear text.